<html><head><title>Burp Scanner Report</title>
<meta http-equiv="Content-Security-Policy" content="default-src 'none';img-src 'self' data:;style-src 'unsafe-inline'" />
<style type="text/css">
body { background: #dedede; font-family: 'Droid sans', Helvetica, Arial, sans-serif; color: #404042; -webkit-font-smoothing: antialiased; }
#container { width: 930px; padding: 0 15px; margin: 20px auto; background-color: #ffffff; }
table { font-family: Arial, sans-serif; }
a:link, a:visited { color: #ff6633; text-decoration: none; transform: 0.3s; }
a:hover, a:active { color: #e24920; text-decoration: underline; }
h1 { font-size: 1.6em; line-height: 1.4em; font-weight: normal; color: #404042; }
h2 { font-size: 1.3em; line-height: 1.2em; padding: 0; margin: 0.8em 0 0.3em 0; font-weight: normal; color: #404042;}
h4 { font-size: 1.0em; line-height: 1.2em; padding: 0; margin: 0.8em 0 0.3em 0; font-weight: bold; color: #404042;}
.rule { height: 0px; border-top: 1px solid #404042; padding: 0; margin: 20px -15px 0 -15px; }
.title { color: #ffffff; background: #ff6633; margin: 0 -15px 10px -15px; overflow: hidden; }
.title h1 { color: #ffffff; padding: 10px 15px; margin: 0; font-size: 1.8em; }
.title img { float: right; display: inline; padding: 1px; }
.heading { background: #404042; margin: 0 -15px 10px -15px; padding: 0; display: inline-block; overflow: hidden; }
.heading img { float: right; display: inline; margin: 8px 10px 0 10px; padding: 0; }
.code { font-family: 'Courier New', Courier, monospace; }
table.overview_table { border: 2px solid #e6e6e6; margin: 0; padding: 5px;}
table.overview_table td.info { padding: 5px; background: #dedede; text-align: right; border-top: 2px solid #ffffff; border-right: 2px solid #ffffff; }
table.overview_table td.info_end { padding: 5px; background: #dedede; text-align: right; border-top: 2px solid #ffffff; }
table.overview_table td.colour_holder { padding: 0px; border-top: 2px solid #ffffff; border-right: 2px solid #ffffff; }
table.overview_table td.colour_holder_end { padding: 0px; border-top: 2px solid #ffffff; }
table.overview_table td.label { padding: 5px; font-weight: bold; }
table.summary_table td { padding: 5px; background: #dedede; text-align: left; border-top: 2px solid #ffffff; border-right: 2px solid #ffffff; }
table.summary_table td.icon { background: #404042; }
.colour_block { padding: 5px; text-align: right; display: block; font-weight: bold; }
.high_certain { border: 2px solid #f00; background: #f00; }
.high_firm { border: 2px solid #f66; background: #f66; }
.high_tentative { border: 2px solid #fcc; background: #fcc; }
.medium_certain { border: 2px solid #f90; background: #f90; }
.medium_firm { border: 2px solid #ffc266; background: #ffc266; }
.medium_tentative { border: 2px solid #ffebcc; background: #ffebcc; }
.low_certain { border: 2px solid #fe0; background: #fe0; }
.low_firm { border: 2px solid #fff566; background: #fff566; }
.low_tentative { border: 2px solid #fffccc; background: #fffccc; }
.info_certain { border: 2px solid #ababab; background: #ababab; }
.info_firm { border: 2px solid #cdcdcd; background: #cdcdcd; }
.info_tentative { border: 2px solid #eee; background: #eee; }
.row_total { border: 1px solid #dedede; background: #fff; }
.grad_mark { padding: 4px; border-left: 1px solid #404042; display: inline-block; }
.bar { margin-top: 3px; }
.TOCH0 { font-size: 1.0em; font-weight: bold; word-wrap: break-word; }
.TOCH1 { font-size: 0.8em; text-indent: -20px; padding-left: 50px; margin: 0; word-wrap: break-word; }
.TOCH2 { font-size: 0.8em; text-indent: -20px; padding-left: 70px; margin: 0; word-wrap: break-word; }
.BODH0 { font-size: 1.6em; line-height: 1.2em; font-weight: normal; padding: 10px 15px; margin: 0 -15px 10px -15px; display: inline-block; color: #ffffff; background-color: #ff6633; width: 100%; word-wrap: break-word; }
.BODH0 a:link, .BODH0 a:visited, .BODH0 a:hover, .BODH0 a:active { color: #ffffff; text-decoration: none; }
.BODH1 { font-size: 1.3em; line-height: 1.2em; font-weight: normal; padding: 13px 15px; margin: 0 -15px 0 -15px; display: inline-block; width: 100%; word-wrap: break-word; }
.BODH1 a:link, .BODH1 a:visited, .BODH1 a:hover, .BODH1 a:active { color: #404042; text-decoration: none; }
.BODH2 { font-size: 1.0em; font-weight: bold; line-height: 2.0em; width: 100%; word-wrap: break-word; }
.PREVNEXT { font-size: 0.7em; font-weight: bold; color: #ffffff; padding: 3px 10px; border-radius: 10px;}
.PREVNEXT:link, .PREVNEXT:visited { color: #ff6633 !important; background: #ffffff !important; border: 1px solid #ff6633 !important; text-decoration: none; }
.PREVNEXT:hover, .PREVNEXT:active { color: #fff !important; background: #e24920 !important; border: 1px solid #e24920 !important; text-decoration: none; }
.TEXT { font-size: 0.8em; padding: 0; margin: 0; word-wrap: break-word; }
TD { font-size: 0.8em; }
.HIGHLIGHT { background-color: #fcf446; }
.rr_div { border: 2px solid #ff6633; width: 916px; word-wrap: break-word; -ms-word-wrap: break-word; margin: 0.8em 0; padding: 5px; font-size: 0.8em; max-height: 300px; overflow-y: auto; }

div.scan_issue_false_positive_rpt{width: 32px; height: 32px; background-image: url()}
div.scan_issue_high_certain_rpt{width: 32px; height: 32px; background-image: url()}
div.scan_issue_high_firm_rpt{width: 32px; height: 32px; background-image: url()}
div.scan_issue_high_tentative_rpt{width: 32px; height: 32px; background-image: url()}
div.scan_issue_info_certain_rpt{width: 32px; height: 32px; background-image: url()}
div.scan_issue_info_firm_rpt{width: 32px; height: 32px; background-image: url()}
div.scan_issue_info_tentative_rpt{width: 32px; height: 32px; background-image: url()}
div.scan_issue_low_certain_rpt{width: 32px; height: 32px; background-image: url()}
div.scan_issue_low_firm_rpt{width: 32px; height: 32px; background-image: url()}
div.scan_issue_low_tentative_rpt{width: 32px; height: 32px; background-image: url()}
div.scan_issue_medium_certain_rpt{width: 32px; height: 32px; background-image: url()}
div.scan_issue_medium_firm_rpt{width: 32px; height: 32px; background-image: url()}
div.scan_issue_medium_tentative_rpt{width: 32px; height: 32px; background-image: url()}


@media print {
    body { width: 100%; color: #000000; position: relative; }
    #container { width: 98%; padding: 0; margin: 0; }
    h1 { color: #000000; }
    h2 { color: #000000;}
    .rule { margin: 20px 0 0 0; }
    .title { color: #000000; margin: 0 0 10px 0; padding: 10px 0; }
    .title h1 { color: #000000; }
    .title img { margin: -3px 0; }
    .heading { margin: 0 0 10px 0; }
    .BODH0 { color: #000000; }
    .BODH1 { color: #000000; }
    .PREVNEXT { visibility: hidden; display: none; }
    .rr_div { width: 98%; margin: 0.8em auto; max-height: none !important; overflow: hidden; }
}

</style>
</head>
<body>
<div id="container">
<div class="title"><img src="" width="184" height="58"><h1>Burp Scanner Report</h1></div>
<h1>Summary</h1>
<span class="TEXT">The table below shows the numbers of issues identified in different categories. Issues are classified according to severity as High, Medium, Low or Information. This reflects the likely impact of each issue for a typical organization. Issues are also classified according to confidence as Certain, Firm or Tentative. This reflects the inherent reliability of the technique that was used to identify the issue.</span><br><br><table cellpadding="0" cellspacing="0" class="overview_table">
    <tr>
        <td width="70">&nbsp;</td>
        <td width="90">&nbsp;</td>
        <td colspan="4" height="40" align="center" class="label">Confidence</td>
    </tr>
    <tr>
        <td width="70">&nbsp;</td>
        <td width="90">&nbsp;</td>
        <td width="82" height="30" class="info">Certain</td>
        <td width="82" height="30" class="info">Firm</td>
        <td width="82" height="30" class="info">Tentative</td>
        <td width="82" height="30" class="info_end">Total</td>
    </tr>
    <tr>
        <td rowspan="4" valign="middle" class="label">Severity</td>
        <td class="info" height="30">High</td>
        <td class="colour_holder"><span class="colour_block high_certain">5</span></td>
        <td class="colour_holder"><span class="colour_block high_firm">0</span></td>
        <td class="colour_holder"><span class="colour_block high_tentative">0</span></td>
        <td class="colour_holder_end"><span class="colour_block row_total">5</span></td>
    </tr>
    <tr>
        <td class="info" height="30">Medium</td>
        <td class="colour_holder"><span class="colour_block medium_certain">0</span></td>
        <td class="colour_holder"><span class="colour_block medium_firm">0</span></td>
        <td class="colour_holder"><span class="colour_block medium_tentative">0</span></td>
        <td class="colour_holder_end"><span class="colour_block row_total">0</span></td>
    </tr>
    <tr>
        <td class="info" height="30">Low</td>
        <td class="colour_holder"><span class="colour_block low_certain">2</span></td>
        <td class="colour_holder"><span class="colour_block low_firm">2</span></td>
        <td class="colour_holder"><span class="colour_block low_tentative">0</span></td>
        <td class="colour_holder_end"><span class="colour_block row_total">4</span></td>
    </tr>
    <tr>
        <td class="info" height="30">Information</td>
        <td class="colour_holder"><span class="colour_block info_certain">9</span></td>
        <td class="colour_holder"><span class="colour_block info_firm">11</span></td>
        <td class="colour_holder"><span class="colour_block info_tentative">0</span></td>
        <td class="colour_holder_end"><span class="colour_block row_total">20</span></td>
    </tr>
</table><br>
<span class="TEXT">The chart below shows the aggregated numbers of issues identified in each category. Solid colored bars represent issues with a confidence level of Certain, and the bars fade as the confidence level falls.</span><br><br><table cellpadding="0" cellspacing="0" class="overview_table">
    <tr>
        <td width="70">&nbsp;</td>
        <td width="90">&nbsp;</td>
        <td colspan="6" height="40" align="center" class="label">Number of issues</td>
    </tr>
    <tr>
        <td width="70">&nbsp;</td>
        <td width="90">&nbsp;</td>
        <td width="125"><span class="grad_mark">0</span></td>
        <td width="125"><span class="grad_mark">1</span></td>
        <td width="125"><span class="grad_mark">2</span></td>
        <td width="125"><span class="grad_mark">3</span></td>
        <td width="125"><span class="grad_mark">4</span></td>
    </tr>
    <tr>
        <td rowspan="3" valign="middle" class="label">Severity</td>
        <td class="info">High</td>
        <td colspan="5" height="30">
            <table cellpadding="0" cellspacing="0"><tr><td><img class="bar" src="" width="625" height="16"></td><td><img class="bar" src="" width="0" height="16"></td><td><img class="bar" src="" width="0" height="16"></td></tr></table>
        </td>
        <td>&nbsp;</td>
    </tr>
    <tr>
        <td class="info">Medium</td>
        <td colspan="5" height="30">
            <table cellpadding="0" cellspacing="0"><tr><td><img class="bar" src="" width="0" height="16"></td><td><img class="bar" src="" width="0" height="16"></td><td><img class="bar" src="" width="0" height="16"></td></tr></table>
        </td>
        <td>&nbsp;</td>
    </tr>
    <tr>
        <td class="info">Low</td>
        <td colspan="5" height="30">
            <table cellpadding="0" cellspacing="0"><tr><td><img class="bar" src="" width="250" height="16"></td><td><img class="bar" src="" width="250" height="16"></td><td><img class="bar" src="" width="0" height="16"></td></tr></table>
        </td>
        <td>&nbsp;</td>
    </tr>
</table>

<div class="rule"></div>
<h1>Contents</h1>
<p class="TOCH0"><a href="#1">1.&nbsp;Cleartext submission of password</a></p>
<p class="TOCH1"><a href="#1.1">1.1.&nbsp;http://121.196.62.22:8082/</a></p>
<p class="TOCH1"><a href="#1.2">1.2.&nbsp;http://121.196.62.22:8082/login.php</a></p>
<p class="TOCH1"><a href="#1.3">1.3.&nbsp;http://121.196.62.22:8082/vulnerabilities/brute/</a></p>
<p class="TOCH1"><a href="#1.4">1.4.&nbsp;http://121.196.62.22:8082/vulnerabilities/captcha/</a></p>
<p class="TOCH1"><a href="#1.5">1.5.&nbsp;http://121.196.62.22:8082/vulnerabilities/csrf/</a></p>
<p class="TOCH0"><a href="#2">2.&nbsp;Password submitted using GET method</a></p>
<p class="TOCH0"><a href="#3">3.&nbsp;Cookie without HttpOnly flag set</a></p>
<p class="TOCH1"><a href="#3.1">3.1.&nbsp;http://121.196.62.22:8082/</a></p>
<p class="TOCH1"><a href="#3.2">3.2.&nbsp;http://121.196.62.22:8082/security.php</a></p>
<p class="TOCH0"><a href="#4">4.&nbsp;Unencrypted communications</a></p>
<p class="TOCH0"><a href="#5">5.&nbsp;Path-relative style sheet import</a></p>
<p class="TOCH0"><a href="#6">6.&nbsp;Input returned in response (reflected)</a></p>
<p class="TOCH1"><a href="#6.1">6.1.&nbsp;http://121.196.62.22:8082/ [name of an arbitrarily supplied URL parameter]</a></p>
<p class="TOCH1"><a href="#6.2">6.2.&nbsp;http://121.196.62.22:8082/login.php [URL path filename]</a></p>
<p class="TOCH1"><a href="#6.3">6.3.&nbsp;http://121.196.62.22:8082/login.php [name of an arbitrarily supplied URL parameter]</a></p>
<p class="TOCH1"><a href="#6.4">6.4.&nbsp;http://121.196.62.22:8082/robots.txt [URL path filename]</a></p>
<p class="TOCH0"><a href="#7">7.&nbsp;Cross-domain Referer leakage</a></p>
<p class="TOCH0"><a href="#8">8.&nbsp;Cross-domain script include</a></p>
<p class="TOCH0"><a href="#9">9.&nbsp;File upload functionality</a></p>
<p class="TOCH0"><a href="#10">10.&nbsp;Frameable response (potential Clickjacking)</a></p>
<p class="TOCH1"><a href="#10.1">10.1.&nbsp;http://121.196.62.22:8082/</a></p>
<p class="TOCH1"><a href="#10.2">10.2.&nbsp;http://121.196.62.22:8082/index.php</a></p>
<p class="TOCH1"><a href="#10.3">10.3.&nbsp;http://121.196.62.22:8082/login.php</a></p>
<p class="TOCH1"><a href="#10.4">10.4.&nbsp;http://121.196.62.22:8082/vulnerabilities/brute/</a></p>
<p class="TOCH1"><a href="#10.5">10.5.&nbsp;http://121.196.62.22:8082/vulnerabilities/captcha/</a></p>
<p class="TOCH1"><a href="#10.6">10.6.&nbsp;http://121.196.62.22:8082/vulnerabilities/csrf/</a></p>
<p class="TOCH1"><a href="#10.7">10.7.&nbsp;http://121.196.62.22:8082/vulnerabilities/exec/</a></p>
<p class="TOCH1"><a href="#10.8">10.8.&nbsp;http://121.196.62.22:8082/vulnerabilities/fi/</a></p>
<p class="TOCH1"><a href="#10.9">10.9.&nbsp;http://121.196.62.22:8082/vulnerabilities/sqli/</a></p>
<p class="TOCH1"><a href="#10.10">10.10.&nbsp;http://121.196.62.22:8082/vulnerabilities/upload/</a></p>
<p class="TOCH0"><a href="#11">11.&nbsp;Private IP addresses disclosed</a></p>
<p class="TOCH0"><a href="#12">12.&nbsp;Robots.txt file</a></p>
<br><div class="rule"></div>
<span class="BODH0" id="1">1.&nbsp;<a href="https://portswigger.net/knowledgebase/issues/details/00300100_cleartextsubmissionofpassword">Cleartext submission of password</a></span>
<br><a class="PREVNEXT" href="#2">Next</a>
<br>
<br><span class="TEXT">There are 5 instances of this issue:
<ul>
<li><a href="#1.1">/</a></li>
<li><a href="#1.2">/login.php</a></li>
<li><a href="#1.3">/vulnerabilities/brute/</a></li>
<li><a href="#1.4">/vulnerabilities/captcha/</a></li>
<li><a href="#1.5">/vulnerabilities/csrf/</a></li>
</ul></span>
<h2>Issue background</h2>
<span class="TEXT"><p>Some applications transmit passwords over unencrypted connections, making them vulnerable to interception. To exploit this vulnerability, an attacker must be suitably positioned to eavesdrop on the victim's network traffic. This scenario typically occurs when a client communicates with the server over an insecure connection such as public Wi-Fi, or a corporate or home network that is shared with a compromised computer. Common defenses such as switched networks are not sufficient to prevent this. An attacker situated in the user's ISP or the application's hosting infrastructure could also perform this attack. Note that an advanced adversary could potentially target any connection made over the Internet's core infrastructure.</p>
<p>Vulnerabilities that result in the disclosure of users' passwords can result in compromises that are extremely difficult to investigate due to obscured audit trails. Even if the application itself only handles non-sensitive information, exposing passwords puts users who have re-used their password elsewhere at risk.</p></span>
<h2>Issue remediation</h2>
<span class="TEXT"><p>Applications should use transport-level encryption (SSL or TLS) to protect all sensitive communications passing between the client and the server. Communications that should be protected include the login mechanism and related functionality, and any functions where sensitive data can be accessed or privileged actions can be performed. These areas should employ their own session handling mechanism, and the session tokens used should never be transmitted over unencrypted communications. If HTTP cookies are used for transmitting session tokens, then the secure flag should be set to prevent transmission over clear-text HTTP.</p></span>
<h2>Vulnerability classifications</h2><span class="TEXT"><ul>
<li><a href="https://cwe.mitre.org/data/definitions/319.html">CWE-319: Cleartext Transmission of Sensitive Information</a></li>
</ul></span>
<br><br><div class="rule"></div>
<span class="BODH1" id="1.1">1.1.&nbsp;http://121.196.62.22:8082/</span>
<br><a class="PREVNEXT" href="#1.2">Next</a>
<br>
<h2>Summary</h2>
<table cellpadding="0" cellspacing="0" class="summary_table">
<tr>
<td rowspan="4" class="icon" valign="top" align="center"><div class='scan_issue_high_certain_rpt'></div></td>
<td>Severity:&nbsp;&nbsp;</td>
<td><b>High</b></td>
</tr>
<tr>
<td>Confidence:&nbsp;&nbsp;</td>
<td><b>Certain</b></td>
</tr>
<tr>
<td>Host:&nbsp;&nbsp;</td>
<td><b>http://121.196.62.22:8082</b></td>
</tr>
<tr>
<td>Path:&nbsp;&nbsp;</td>
<td><b>/</b></td>
</tr>
</table>
<h2>Issue detail</h2>
<span class="TEXT">The page contains a form with the following action URL, which is submitted over clear-text HTTP:<ul><li>http://121.196.62.22:8082/login.php</li></ul>The form contains the following password field:<ul><li>password</li></ul></span>
<h2>Request</h2>
<div class="rr_div"><span>GET /login.php HTTP/1.1<br>Host: 121.196.62.22:8082<br>Accept-Encoding: gzip, deflate<br>Accept: */*<br>Accept-Language: en-US,en-GB;q=0.9,en;q=0.8<br>User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.122 Safari/537.36<br>Connection: close<br>Cache-Control: max-age=0<br>Cookie: security=impossible; PHPSESSID=9hm6kc8obkpg0cvsd84r21mlk3; <br><br></span></div>
<h2>Response</h2>
<div class="rr_div"><span>HTTP/1.1 200 OK<br>Date: Fri, 22 Sep 2023 12:31:26 GMT<br>Server: Apache/2.4.10 (Debian)<br>Expires: Tue, 23 Jun 2009 12:00:00 GMT<br>Cache-Control: no-cache, must-revalidate<br>Pragma: no-cache<br>Vary: Accept-Encoding<br>Content-Length: 1523<br>Connection: close<br>Content-Type: text/html;charset=utf-8<br><br><br>&lt;!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"&gt;<br><br>&lt;html xmlns="http://www.w3.org/1999/xhtml"&gt;<br><br> &nbsp;&nbsp;&nbsp;&lt;head&gt;<br><br> &nbsp;&nbsp;&nbsp; &nbsp;&nbsp;&nbsp;&lt;meta http-equiv="Content<br><b>...[SNIP]...</b><br>&lt;div id="content"&gt;<br><br> &nbsp;&nbsp;&nbsp;<span class="HIGHLIGHT">&lt;form action="login.php" method="post"&gt;</span><br><br> &nbsp;&nbsp;&nbsp;&lt;fieldset&gt;<br><b>...[SNIP]...</b><br>&lt;/label&gt; <span class="HIGHLIGHT">&lt;input type="password" class="loginInput" AUTOCOMPLETE="off" size="20" name="password"&gt;</span>&lt;br /&gt;<br><b>...[SNIP]...</b><br></span></div>
<div class="rule"></div>
<span class="BODH1" id="1.2">1.2.&nbsp;http://121.196.62.22:8082/login.php</span>
<br><a class="PREVNEXT" href="#1.1">Previous</a>
&nbsp;<a class="PREVNEXT" href="#1.3">Next</a>
<br>
<h2>Summary</h2>
<table cellpadding="0" cellspacing="0" class="summary_table">
<tr>
<td rowspan="4" class="icon" valign="top" align="center"><div class='scan_issue_high_certain_rpt'></div></td>
<td>Severity:&nbsp;&nbsp;</td>
<td><b>High</b></td>
</tr>
<tr>
<td>Confidence:&nbsp;&nbsp;</td>
<td><b>Certain</b></td>
</tr>
<tr>
<td>Host:&nbsp;&nbsp;</td>
<td><b>http://121.196.62.22:8082</b></td>
</tr>
<tr>
<td>Path:&nbsp;&nbsp;</td>
<td><b>/login.php</b></td>
</tr>
</table>
<h2>Issue detail</h2>
<span class="TEXT">The page contains a form with the following action URL, which is submitted over clear-text HTTP:<ul><li>http://121.196.62.22:8082/login.php</li></ul>The form contains the following password field:<ul><li>password</li></ul></span>
<h2>Request</h2>
<div class="rr_div"><span>GET /login.php HTTP/1.1<br>Host: 121.196.62.22:8082<br>User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/117.0<br>Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8<br>Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2<br>Accept-Encoding: gzip, deflate<br>Upgrade-Insecure-Requests: 1<br>Connection: close<br>Cookie: PHPSESSID=ki3897hcdl1quu4eok36fucfa7; security=impossible<br><br></span></div>
<h2>Response</h2>
<div class="rr_div"><span>HTTP/1.1 200 OK<br>Date: Fri, 22 Sep 2023 13:01:54 GMT<br>Server: Apache/2.4.10 (Debian)<br>Expires: Tue, 23 Jun 2009 12:00:00 GMT<br>Cache-Control: no-cache, must-revalidate<br>Pragma: no-cache<br>Vary: Accept-Encoding<br>Content-Length: 1523<br>Connection: close<br>Content-Type: text/html;charset=utf-8<br><br><br>&lt;!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"&gt;<br><br>&lt;html xmlns="http://www.w3.org/1999/xhtml"&gt;<br><br> &nbsp;&nbsp;&nbsp;&lt;head&gt;<br><br> &nbsp;&nbsp;&nbsp; &nbsp;&nbsp;&nbsp;&lt;meta http-equiv="Content<br><b>...[SNIP]...</b><br>&lt;div id="content"&gt;<br><br> &nbsp;&nbsp;&nbsp;<span class="HIGHLIGHT">&lt;form action="login.php" method="post"&gt;</span><br><br> &nbsp;&nbsp;&nbsp;&lt;fieldset&gt;<br><b>...[SNIP]...</b><br>&lt;/label&gt; <span class="HIGHLIGHT">&lt;input type="password" class="loginInput" AUTOCOMPLETE="off" size="20" name="password"&gt;</span>&lt;br /&gt;<br><b>...[SNIP]...</b><br></span></div>
<div class="rule"></div>
<span class="BODH1" id="1.3">1.3.&nbsp;http://121.196.62.22:8082/vulnerabilities/brute/</span>
<br><a class="PREVNEXT" href="#1.2">Previous</a>
&nbsp;<a class="PREVNEXT" href="#1.4">Next</a>
<br>
<h2>Summary</h2>
<table cellpadding="0" cellspacing="0" class="summary_table">
<tr>
<td rowspan="4" class="icon" valign="top" align="center"><div class='scan_issue_high_certain_rpt'></div></td>
<td>Severity:&nbsp;&nbsp;</td>
<td><b>High</b></td>
</tr>
<tr>
<td>Confidence:&nbsp;&nbsp;</td>
<td><b>Certain</b></td>
</tr>
<tr>
<td>Host:&nbsp;&nbsp;</td>
<td><b>http://121.196.62.22:8082</b></td>
</tr>
<tr>
<td>Path:&nbsp;&nbsp;</td>
<td><b>/vulnerabilities/brute/</b></td>
</tr>
</table>
<h2>Issue detail</h2>
<span class="TEXT">The page contains a form with the following action URL, which is submitted over clear-text HTTP:<ul><li>http://121.196.62.22:8082/vulnerabilities/brute/</li></ul>The form contains the following password field:<ul><li>password</li></ul></span>
<h2>Request</h2>
<div class="rr_div"><span>GET /vulnerabilities/brute/ HTTP/1.1<br>Host: 121.196.62.22:8082<br>User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/117.0<br>Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8<br>Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2<br>Accept-Encoding: gzip, deflate<br>Referer: http://121.196.62.22:8082/index.php<br>Upgrade-Insecure-Requests: 1<br>Connection: close<br>Cookie: PHPSESSID=ki3897hcdl1quu4eok36fucfa7; security=impossible<br><br></span></div>
<h2>Response</h2>
<div class="rr_div"><span>HTTP/1.1 200 OK<br>Date: Fri, 22 Sep 2023 13:02:35 GMT<br>Server: Apache/2.4.10 (Debian)<br>Expires: Tue, 23 Jun 2009 12:00:00 GMT<br>Cache-Control: no-cache, must-revalidate<br>Pragma: no-cache<br>Vary: Accept-Encoding<br>Content-Length: 4962<br>Connection: close<br>Content-Type: text/html;charset=utf-8<br><br><br>&lt;!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"&gt;<br><br>&lt;html xmlns="http://www.w3.org/1999/xhtml"&gt;<br><br> &nbsp;&nbsp;&nbsp;&lt;head&gt;<br> &nbsp;&nbsp;&nbsp; &nbsp;&nbsp;&nbsp;&lt;meta http-equiv="Content-T<br><b>...[SNIP]...</b><br>&lt;/h2&gt;<br><br> &nbsp;&nbsp;&nbsp; &nbsp;&nbsp;&nbsp;<span class="HIGHLIGHT">&lt;form action="#" method="POST"&gt;</span><br> &nbsp;&nbsp;&nbsp; &nbsp;&nbsp;&nbsp; &nbsp;&nbsp;&nbsp;Username:&lt;br /&gt;<br><b>...[SNIP]...</b><br>&lt;br /&gt;<br> &nbsp;&nbsp;&nbsp; &nbsp;&nbsp;&nbsp; &nbsp;&nbsp;&nbsp;<span class="HIGHLIGHT">&lt;input type="password" AUTOCOMPLETE="off" name="password"&gt;</span>&lt;br /&gt;<br><b>...[SNIP]...</b><br></span></div>
<div class="rule"></div>
<span class="BODH1" id="1.4">1.4.&nbsp;http://121.196.62.22:8082/vulnerabilities/captcha/</span>
<br><a class="PREVNEXT" href="#1.3">Previous</a>
&nbsp;<a class="PREVNEXT" href="#1.5">Next</a>
<br>
<h2>Summary</h2>
<table cellpadding="0" cellspacing="0" class="summary_table">
<tr>
<td rowspan="4" class="icon" valign="top" align="center"><div class='scan_issue_high_certain_rpt'></div></td>
<td>Severity:&nbsp;&nbsp;</td>
<td><b>High</b></td>
</tr>
<tr>
<td>Confidence:&nbsp;&nbsp;</td>
<td><b>Certain</b></td>
</tr>
<tr>
<td>Host:&nbsp;&nbsp;</td>
<td><b>http://121.196.62.22:8082</b></td>
</tr>
<tr>
<td>Path:&nbsp;&nbsp;</td>
<td><b>/vulnerabilities/captcha/</b></td>
</tr>
</table>
<h2>Issue detail</h2>
<span class="TEXT">The page contains a form with the following action URL, which is submitted over clear-text HTTP:<ul><li>http://121.196.62.22:8082/vulnerabilities/captcha/</li></ul>The form contains the following password fields:<ul><li>password_current</li><li>password_new</li><li>password_conf</li></ul></span>
<h2>Request</h2>
<div class="rr_div"><span>GET /vulnerabilities/captcha/ HTTP/1.1<br>Host: 121.196.62.22:8082<br>User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/117.0<br>Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8<br>Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2<br>Accept-Encoding: gzip, deflate<br>Referer: http://121.196.62.22:8082/vulnerabilities/upload/<br>Upgrade-Insecure-Requests: 1<br>Connection: close<br>Cookie: PHPSESSID=ki3897hcdl1quu4eok36fucfa7; security=impossible<br><br></span></div>
<h2>Response</h2>
<div class="rr_div"><span>HTTP/1.1 200 OK<br>Date: Fri, 22 Sep 2023 13:03:40 GMT<br>Server: Apache/2.4.10 (Debian)<br>Expires: Tue, 23 Jun 2009 12:00:00 GMT<br>Cache-Control: no-cache, must-revalidate<br>Pragma: no-cache<br>Vary: Accept-Encoding<br>Content-Length: 5693<br>Connection: close<br>Content-Type: text/html;charset=utf-8<br><br><br>&lt;!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"&gt;<br><br>&lt;html xmlns="http://www.w3.org/1999/xhtml"&gt;<br><br> &nbsp;&nbsp;&nbsp;&lt;head&gt;<br> &nbsp;&nbsp;&nbsp; &nbsp;&nbsp;&nbsp;&lt;meta http-equiv="Content-T<br><b>...[SNIP]...</b><br>&lt;div class="vulnerable_code_area"&gt;<br> &nbsp;&nbsp;&nbsp; &nbsp;&nbsp;&nbsp;<span class="HIGHLIGHT">&lt;form action="#" method="POST" style="display:none;"&gt;</span><br> &nbsp;&nbsp;&nbsp; &nbsp;&nbsp;&nbsp; &nbsp;&nbsp;&nbsp;&lt;h3&gt;<br><b>...[SNIP]...</b><br>&lt;br /&gt;<br> &nbsp;&nbsp;&nbsp; &nbsp;&nbsp;&nbsp; &nbsp;&nbsp;&nbsp;<span class="HIGHLIGHT">&lt;input type="password" AUTOCOMPLETE="off" name="password_current"&gt;</span>&lt;br /&gt;<br><b>...[SNIP]...</b><br>&lt;br /&gt;<br> &nbsp;&nbsp;&nbsp; &nbsp;&nbsp;&nbsp; &nbsp;&nbsp;&nbsp;<span class="HIGHLIGHT">&lt;input type="password" AUTOCOMPLETE="off" name="password_new"&gt;</span>&lt;br /&gt;<br><b>...[SNIP]...</b><br>&lt;br /&gt;<br> &nbsp;&nbsp;&nbsp; &nbsp;&nbsp;&nbsp; &nbsp;&nbsp;&nbsp;<span class="HIGHLIGHT">&lt;input type="password" AUTOCOMPLETE="off" name="password_conf"&gt;</span>&lt;br /&gt;<br><b>...[SNIP]...</b><br></span></div>
<div class="rule"></div>
<span class="BODH1" id="1.5">1.5.&nbsp;http://121.196.62.22:8082/vulnerabilities/csrf/</span>
<br><a class="PREVNEXT" href="#1.4">Previous</a>
&nbsp;<a class="PREVNEXT" href="#3.1">Next</a>
<br>
<h2>Summary</h2>
<table cellpadding="0" cellspacing="0" class="summary_table">
<tr>
<td rowspan="4" class="icon" valign="top" align="center"><div class='scan_issue_high_certain_rpt'></div></td>
<td>Severity:&nbsp;&nbsp;</td>
<td><b>High</b></td>
</tr>
<tr>
<td>Confidence:&nbsp;&nbsp;</td>
<td><b>Certain</b></td>
</tr>
<tr>
<td>Host:&nbsp;&nbsp;</td>
<td><b>http://121.196.62.22:8082</b></td>
</tr>
<tr>
<td>Path:&nbsp;&nbsp;</td>
<td><b>/vulnerabilities/csrf/</b></td>
</tr>
</table>
<h2>Issue detail</h2>
<span class="TEXT">The page contains a form with the following action URL, which is submitted over clear-text HTTP:<ul><li>http://121.196.62.22:8082/vulnerabilities/csrf/</li></ul>The form contains the following password fields:<ul><li>password_current</li><li>password_new</li><li>password_conf</li></ul></span>
<h2>Request</h2>
<div class="rr_div"><span>GET /vulnerabilities/csrf/ HTTP/1.1<br>Host: 121.196.62.22:8082<br>User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/117.0<br>Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8<br>Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2<br>Accept-Encoding: gzip, deflate<br>Referer: http://121.196.62.22:8082/vulnerabilities/exec/<br>Upgrade-Insecure-Requests: 1<br>Connection: close<br>Cookie: PHPSESSID=ki3897hcdl1quu4eok36fucfa7; security=impossible<br><br></span></div>
<h2>Response</h2>
<div class="rr_div"><span>HTTP/1.1 200 OK<br>Date: Fri, 22 Sep 2023 13:03:05 GMT<br>Server: Apache/2.4.10 (Debian)<br>Expires: Tue, 23 Jun 2009 12:00:00 GMT<br>Cache-Control: no-cache, must-revalidate<br>Pragma: no-cache<br>Vary: Accept-Encoding<br>Content-Length: 5012<br>Connection: close<br>Content-Type: text/html;charset=utf-8<br><br><br>&lt;!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"&gt;<br><br>&lt;html xmlns="http://www.w3.org/1999/xhtml"&gt;<br><br> &nbsp;&nbsp;&nbsp;&lt;head&gt;<br> &nbsp;&nbsp;&nbsp; &nbsp;&nbsp;&nbsp;&lt;meta http-equiv="Content-T<br><b>...[SNIP]...</b><br>&lt;br /&gt;<br><br> &nbsp;&nbsp;&nbsp; &nbsp;&nbsp;&nbsp;<span class="HIGHLIGHT">&lt;form action="#" method="GET"&gt;</span><br> &nbsp;&nbsp;&nbsp; &nbsp;&nbsp;&nbsp; &nbsp;&nbsp;&nbsp;Current password:&lt;br /&gt;<br> &nbsp;&nbsp;&nbsp; &nbsp;&nbsp;&nbsp; &nbsp;&nbsp;&nbsp;<span class="HIGHLIGHT">&lt;input type="password" AUTOCOMPLETE="off" name="password_current"&gt;</span>&lt;br /&gt;<br><b>...[SNIP]...</b><br>&lt;br /&gt;<br> &nbsp;&nbsp;&nbsp; &nbsp;&nbsp;&nbsp; &nbsp;&nbsp;&nbsp;<span class="HIGHLIGHT">&lt;input type="password" AUTOCOMPLETE="off" name="password_new"&gt;</span>&lt;br /&gt;<br><b>...[SNIP]...</b><br>&lt;br /&gt;<br> &nbsp;&nbsp;&nbsp; &nbsp;&nbsp;&nbsp; &nbsp;&nbsp;&nbsp;<span class="HIGHLIGHT">&lt;input type="password" AUTOCOMPLETE="off" name="password_conf"&gt;</span>&lt;br /&gt;<br><b>...[SNIP]...</b><br></span></div>
<div class="rule"></div>
<span class="BODH0" id="2">2.&nbsp;<a href="https://portswigger.net/knowledgebase/issues/details/00400300_passwordsubmittedusinggetmethod">Password submitted using GET method</a></span>
<br><a class="PREVNEXT" href="#1">Previous</a>
&nbsp;<a class="PREVNEXT" href="#3">Next</a>
<br>
<h2>Summary</h2>
<table cellpadding="0" cellspacing="0" class="summary_table">
<tr>
<td rowspan="4" class="icon" valign="top" align="center"><div class='scan_issue_low_certain_rpt'></div></td>
<td>Severity:&nbsp;&nbsp;</td>
<td><b>Low</b></td>
</tr>
<tr>
<td>Confidence:&nbsp;&nbsp;</td>
<td><b>Certain</b></td>
</tr>
<tr>
<td>Host:&nbsp;&nbsp;</td>
<td><b>http://121.196.62.22:8082</b></td>
</tr>
<tr>
<td>Path:&nbsp;&nbsp;</td>
<td><b>/vulnerabilities/csrf/</b></td>
</tr>
</table>
<h2>Issue detail</h2>
<span class="TEXT">The page contains a form with the following action URL, which is submitted using the GET method:<ul><li>http://121.196.62.22:8082/vulnerabilities/csrf/</li></ul>The form contains the following password fields:<ul><li>password_current</li><li>password_new</li><li>password_conf</li></ul></span>
<h2>Issue background</h2>
<span class="TEXT"><p>Some applications use the GET method to submit passwords, which are transmitted within the query string of the requested URL. Sensitive information within URLs may be logged in various locations, including the user's browser, the web server, and any forward or reverse proxy servers between the two endpoints. URLs may also be displayed on-screen, bookmarked or emailed around by users. They may be disclosed to third parties via the Referer header when any off-site links are followed. Placing passwords into the URL increases the risk that they will be captured by an attacker.</p>
<p>Vulnerabilities that result in the disclosure of users' passwords can result in compromises that are extremely difficult to investigate due to obscured audit trails. Even if the application itself only handles non-sensitive information, exposing passwords puts users who have re-used their password elsewhere at risk.</p></span>
<h2>Issue remediation</h2>
<span class="TEXT"><p>All forms submitting passwords should use the POST method. To achieve this, applications should specify the method attribute of the FORM tag as <b>method="POST"</b>. It may also be necessary to modify the corresponding server-side form handler to ensure that submitted passwords are properly retrieved from the message body, rather than the URL.
</p></span>
<h2>Vulnerability classifications</h2><span class="TEXT"><ul>
<li><a href="https://cwe.mitre.org/data/definitions/598.html">CWE-598: Information Exposure Through Query Strings in GET Request</a></li>
</ul></span>
<h2>Request</h2>
<div class="rr_div"><span>GET /vulnerabilities/csrf/ HTTP/1.1<br>Host: 121.196.62.22:8082<br>User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/117.0<br>Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8<br>Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2<br>Accept-Encoding: gzip, deflate<br>Referer: http://121.196.62.22:8082/vulnerabilities/exec/<br>Upgrade-Insecure-Requests: 1<br>Connection: close<br>Cookie: PHPSESSID=ki3897hcdl1quu4eok36fucfa7; security=impossible<br><br></span></div>
<h2>Response</h2>
<div class="rr_div"><span>HTTP/1.1 200 OK<br>Date: Fri, 22 Sep 2023 13:03:05 GMT<br>Server: Apache/2.4.10 (Debian)<br>Expires: Tue, 23 Jun 2009 12:00:00 GMT<br>Cache-Control: no-cache, must-revalidate<br>Pragma: no-cache<br>Vary: Accept-Encoding<br>Content-Length: 5012<br>Connection: close<br>Content-Type: text/html;charset=utf-8<br><br><br>&lt;!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"&gt;<br><br>&lt;html xmlns="http://www.w3.org/1999/xhtml"&gt;<br><br> &nbsp;&nbsp;&nbsp;&lt;head&gt;<br> &nbsp;&nbsp;&nbsp; &nbsp;&nbsp;&nbsp;&lt;meta http-equiv="Content-T<br><b>...[SNIP]...</b><br>&lt;br /&gt;<br><br> &nbsp;&nbsp;&nbsp; &nbsp;&nbsp;&nbsp;<span class="HIGHLIGHT">&lt;form action="#" method="GET"&gt;</span><br> &nbsp;&nbsp;&nbsp; &nbsp;&nbsp;&nbsp; &nbsp;&nbsp;&nbsp;Current password:&lt;br /&gt;<br> &nbsp;&nbsp;&nbsp; &nbsp;&nbsp;&nbsp; &nbsp;&nbsp;&nbsp;<span class="HIGHLIGHT">&lt;input type="password" AUTOCOMPLETE="off" name="password_current"&gt;</span>&lt;br /&gt;<br><b>...[SNIP]...</b><br>&lt;br /&gt;<br> &nbsp;&nbsp;&nbsp; &nbsp;&nbsp;&nbsp; &nbsp;&nbsp;&nbsp;<span class="HIGHLIGHT">&lt;input type="password" AUTOCOMPLETE="off" name="password_new"&gt;</span>&lt;br /&gt;<br><b>...[SNIP]...</b><br>&lt;br /&gt;<br> &nbsp;&nbsp;&nbsp; &nbsp;&nbsp;&nbsp; &nbsp;&nbsp;&nbsp;<span class="HIGHLIGHT">&lt;input type="password" AUTOCOMPLETE="off" name="password_conf"&gt;</span>&lt;br /&gt;<br><b>...[SNIP]...</b><br></span></div>
<div class="rule"></div>
<span class="BODH0" id="3">3.&nbsp;<a href="https://portswigger.net/knowledgebase/issues/details/00500600_cookiewithouthttponlyflagset">Cookie without HttpOnly flag set</a></span>
<br><a class="PREVNEXT" href="#2">Previous</a>
&nbsp;<a class="PREVNEXT" href="#4">Next</a>
<br>
<br><span class="TEXT">There are 2 instances of this issue:
<ul>
<li><a href="#3.1">/</a></li>
<li><a href="#3.2">/security.php</a></li>
</ul></span>
<h2>Issue background</h2>
<span class="TEXT"><p>If the HttpOnly attribute is set on a cookie, then the cookie's value cannot be read or set by client-side JavaScript. This measure makes certain client-side attacks, such as cross-site scripting, slightly harder to exploit by preventing them from trivially capturing the cookie's value via an injected script.</p></span>
<h2>Issue remediation</h2>
<span class="TEXT"><p>There is usually no good reason not to set the HttpOnly flag on all cookies. Unless you specifically require legitimate client-side scripts within your application to read or set a cookie's value, you should set the HttpOnly flag by including this attribute within the relevant Set-cookie directive.</p>
<p>You should be aware that the restrictions imposed by the HttpOnly flag can potentially be circumvented in some circumstances, and that numerous other serious attacks can be delivered by client-side script injection, aside from simple cookie stealing. </p></span>
<h2>References</h2>
<span class="TEXT"><ul>
<li><a href='https://www.owasp.org/index.php/HttpOnly'>Configuring HttpOnly</a></li>
</ul></span>
<h2>Vulnerability classifications</h2><span class="TEXT"><ul>
<li><a href="https://cwe.mitre.org/data/definitions/16.html">CWE-16: Configuration</a></li>
</ul></span>
<br><br><div class="rule"></div>
<span class="BODH1" id="3.1">3.1.&nbsp;http://121.196.62.22:8082/</span>
<br><a class="PREVNEXT" href="#1.5">Previous</a>
&nbsp;<a class="PREVNEXT" href="#3.2">Next</a>
<br>
<h2>Summary</h2>
<table cellpadding="0" cellspacing="0" class="summary_table">
<tr>
<td rowspan="4" class="icon" valign="top" align="center"><div class='scan_issue_low_firm_rpt'></div></td>
<td>Severity:&nbsp;&nbsp;</td>
<td><b>Low</b></td>
</tr>
<tr>
<td>Confidence:&nbsp;&nbsp;</td>
<td><b>Firm</b></td>
</tr>
<tr>
<td>Host:&nbsp;&nbsp;</td>
<td><b>http://121.196.62.22:8082</b></td>
</tr>
<tr>
<td>Path:&nbsp;&nbsp;</td>
<td><b>/</b></td>
</tr>
</table>
<h2>Issue detail</h2>
<span class="TEXT">The following cookie was issued by the application and does not have the HttpOnly flag set:<ul><li><b>PHPSESSID</b></li></ul>The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.</span>
<h2>Request</h2>
<div class="rr_div"><span>GET / HTTP/1.1<br>Host: 121.196.62.22:8082<br>Accept-Encoding: gzip, deflate<br>Accept: */*<br>Accept-Language: en-US,en-GB;q=0.9,en;q=0.8<br>User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.122 Safari/537.36<br>Connection: close<br>Cache-Control: max-age=0<br><br></span></div>
<h2>Response</h2>
<div class="rr_div"><span>HTTP/1.1 302 Found<br>Date: Fri, 22 Sep 2023 12:31:26 GMT<br>Server: Apache/2.4.10 (Debian)<br><span class="HIGHLIGHT">Set-Cookie: PHPSESSID=9hm6kc8obkpg0cvsd84r21mlk3; path=/</span><br>Expires: Thu, 19 Nov 1981 08:52:00 GMT<br>Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0<br>Pragma: no-cache<br>Set-Cookie: PHPSESSID=9hm6kc8obkpg0cvsd84r21mlk3; path=/; httponly<br>Set-Cookie: security=impossible; httponly<br>Location: login.php<br>Content-Length: 0<br>Connection: close<br>Content-Type: text/html; charset=UTF-8<br><br></span></div>
<div class="rule"></div>
<span class="BODH1" id="3.2">3.2.&nbsp;http://121.196.62.22:8082/security.php</span>
<br><a class="PREVNEXT" href="#3.1">Previous</a>
&nbsp;<a class="PREVNEXT" href="#6.1">Next</a>
<br>
<h2>Summary</h2>
<table cellpadding="0" cellspacing="0" class="summary_table">
<tr>
<td rowspan="4" class="icon" valign="top" align="center"><div class='scan_issue_low_firm_rpt'></div></td>
<td>Severity:&nbsp;&nbsp;</td>
<td><b>Low</b></td>
</tr>
<tr>
<td>Confidence:&nbsp;&nbsp;</td>
<td><b>Firm</b></td>
</tr>
<tr>
<td>Host:&nbsp;&nbsp;</td>
<td><b>http://121.196.62.22:8082</b></td>
</tr>
<tr>
<td>Path:&nbsp;&nbsp;</td>
<td><b>/security.php</b></td>
</tr>
</table>
<h2>Issue detail</h2>
<span class="TEXT">The following cookie was issued by the application and does not have the HttpOnly flag set:<ul><li><b>PHPSESSID</b></li></ul>The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.</span>
<h2>Request</h2>
<div class="rr_div"><span>POST /security.php HTTP/1.1<br>Host: 121.196.62.22:8082<br>User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/117.0<br>Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8<br>Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2<br>Accept-Encoding: gzip, deflate<br>Content-Type: application/x-www-form-urlencoded<br>Content-Length: 77<br>Referer: http://121.196.62.22:8082/security.php<br>Origin: http://121.196.62.22:8082<br>Upgrade-Insecure-Requests: 1<br>Connection: close<br>Cookie: PHPSESSID=ki3897hcdl1quu4eok36fucfa7; security=impossible<br><br>security=low&amp;seclev_submit=Submit&amp;user_token=073edd0802b1f5a120f9ff3e9ac8f3c2</span></div>
<h2>Response</h2>
<div class="rr_div"><span>HTTP/1.1 302 Found<br>Date: Fri, 22 Sep 2023 13:04:39 GMT<br>Server: Apache/2.4.10 (Debian)<br>Expires: Thu, 19 Nov 1981 08:52:00 GMT<br>Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0<br>Pragma: no-cache<br><span class="HIGHLIGHT">Set-Cookie: PHPSESSID=ki3897hcdl1quu4eok36fucfa7; path=/</span><br>Set-Cookie: security=low<br>Location: /security.php<br>Content-Length: 0<br>Connection: close<br>Content-Type: text/html; charset=UTF-8<br><br></span></div>
<div class="rule"></div>
<span class="BODH0" id="4">4.&nbsp;<a href="https://portswigger.net/knowledgebase/issues/details/01000200_unencryptedcommunications">Unencrypted communications</a></span>
<br><a class="PREVNEXT" href="#3">Previous</a>
&nbsp;<a class="PREVNEXT" href="#5">Next</a>
<br>
<h2>Summary</h2>
<table cellpadding="0" cellspacing="0" class="summary_table">
<tr>
<td rowspan="4" class="icon" valign="top" align="center"><div class='scan_issue_low_certain_rpt'></div></td>
<td>Severity:&nbsp;&nbsp;</td>
<td><b>Low</b></td>
</tr>
<tr>
<td>Confidence:&nbsp;&nbsp;</td>
<td><b>Certain</b></td>
</tr>
<tr>
<td>Host:&nbsp;&nbsp;</td>
<td><b>http://121.196.62.22:8082</b></td>
</tr>
<tr>
<td>Path:&nbsp;&nbsp;</td>
<td><b>/</b></td>
</tr>
</table>
<h2>Issue description</h2>
<span class="TEXT"><p>The application allows users to connect to it over unencrypted connections.  An attacker suitably positioned to view a legitimate user's network traffic could record and monitor their interactions with the application and obtain any information the user supplies. Furthermore, an attacker able to modify traffic could use the application as a platform for attacks against its users and third-party websites. Unencrypted connections have been exploited by ISPs and governments to track users, and to inject adverts and malicious JavaScript. Due to these concerns, web browser vendors are planning to visually flag unencrypted connections as hazardous.</p>
<p>
To exploit this vulnerability, an attacker must be suitably positioned to eavesdrop on the victim's network traffic. This scenario typically occurs when a client communicates with the server over an insecure connection such as public Wi-Fi, or a corporate or home network that is shared with a compromised computer. Common defenses such as switched networks are not sufficient to prevent this. An attacker situated in the user's ISP or the application's hosting infrastructure could also perform this attack. Note that an advanced adversary could potentially target any connection made over the Internet's core infrastructure.
</p>
<p>Please note that using a mixture of encrypted and unencrypted communications is an ineffective defense against active attackers, because they can easily remove references to encrypted resources when these references are transmitted over an unencrypted connection.</p></span>
<h2>Issue remediation</h2>
<span class="TEXT"><p>Applications should use transport-level encryption (SSL/TLS) to protect all communications passing between the client and the server. The Strict-Transport-Security HTTP header should be used to ensure that clients refuse to access the server over an insecure connection.</p></span>
<h2>References</h2>
<span class="TEXT"><ul>
<li><a href="https://www.chromium.org/Home/chromium-security/marking-http-as-non-secure">Marking HTTP as non-secure</a></li>
<li><a href="https://wiki.mozilla.org/Security/Server_Side_TLS">Configuring Server-Side SSL/TLS</a></li>
<li><a href="https://developer.mozilla.org/en-US/docs/Web/Security/HTTP_strict_transport_security">HTTP Strict Transport Security</a></li>
</ul></span>
<h2>Vulnerability classifications</h2><span class="TEXT"><ul>
<li><a href="https://cwe.mitre.org/data/definitions/326.html">CWE-326: Inadequate Encryption Strength</a></li>
</ul></span>
<div class="rule"></div>
<span class="BODH0" id="5">5.&nbsp;<a href="https://portswigger.net/knowledgebase/issues/details/00200328_pathrelativestylesheetimport">Path-relative style sheet import</a></span>
<br><a class="PREVNEXT" href="#4">Previous</a>
&nbsp;<a class="PREVNEXT" href="#6">Next</a>
<br>
<h2>Summary</h2>
<table cellpadding="0" cellspacing="0" class="summary_table">
<tr>
<td rowspan="4" class="icon" valign="top" align="center"><div class='scan_issue_info_firm_rpt'></div></td>
<td>Severity:&nbsp;&nbsp;</td>
<td><b>Information</b></td>
</tr>
<tr>
<td>Confidence:&nbsp;&nbsp;</td>
<td><b>Firm</b></td>
</tr>
<tr>
<td>Host:&nbsp;&nbsp;</td>
<td><b>http://121.196.62.22:8082</b></td>
</tr>
<tr>
<td>Path:&nbsp;&nbsp;</td>
<td><b>/</b></td>
</tr>
</table>
<h2>Issue detail</h2>
<span class="TEXT">The application may be vulnerable to path-relative style sheet import (PRSSI) attacks. The first four conditions for an exploitable vulnerability are present (see issue background):<ol><li>The original response contains a path-relative style sheet import (see response 1).</li><li>When superfluous path-like data is placed into the URL following the original filename (see request 2), the application's response still contains a path-relative style sheet import (see response 2).</li><li>Response 2 can be made to render in a browser's quirks mode. The page does not contain a doctype directive, and so it will always be rendered in quirks mode. Further, the response does not prevent itself from being framed, so an attacker can frame the response within a page that they control, to force it to be rendered in quirks mode. (Note that this technique is IE-specific and due to P3P restrictions might sometimes limit the impact of a successful attack.)</li><li>When the path-relative style sheet import in response 2 is requested (see request 3) the application returns something other than the CSS response that was supposed to be imported (see response 3).</li></ol>It was not verified whether condition 5 holds (see issue background), and you should manually investigate whether it is possible to manipulate some text within response 3, to enable full exploitation of this issue.</span>
<h2>Issue background</h2>
<span class="TEXT"><p>Path-relative style sheet import vulnerabilities arise when the following conditions hold:</p>
<ol>
<li>A response contains a style sheet import that uses a path-relative URL (for example, the page at "/original-path/file.php" might import "styles/main.css").</li><li>When handling requests, the application or platform tolerates superfluous path-like data following the original filename in the URL (for example, "/original-path/file.php/extra-junk/"). When superfluous data is added to the original URL, the application's response still contains a path-relative stylesheet import.</li><li>The response in condition 2 can be made to render in a browser's quirks mode, either because it has a missing or old doctype directive, or because it allows itself to be framed by a page under an attacker's control.</li>
<li>When a browser requests the style sheet that is imported in the response from the modified URL (using the URL "/original-path/file.php/extra-junk/styles/main.css"), the application returns something other than the CSS response that was supposed to be imported. Given the behavior described in condition 2, this will typically be the same response that was originally returned in condition 1.</li><li>An attacker has a means of manipulating some text within the response in condition 4, for example because the application stores and displays some past input, or echoes some text within the current URL.</li></ol>
<p>Given the above conditions, an attacker can execute CSS injection within the browser of the target user. The attacker can construct a URL that causes the victim's browser to import as CSS a different URL than normal, containing text that the attacker can manipulate.</p>
<p>Being able to inject arbitrary CSS into the victim's browser may enable various attacks, including:</p>
<ul>
  <li>Executing arbitrary JavaScript using IE's expression() function.</li><li>Using CSS selectors to read parts of the HTML source, which may include sensitive data such as anti-CSRF tokens.</li>
<li>Capturing any sensitive data within the URL query string by making a further style sheet import to a URL on the attacker's domain, and monitoring the incoming Referer header.</li></ul></span>
<h2>Issue remediation</h2>
<span class="TEXT"><p>The root cause of the vulnerability can be resolved by not using path-relative URLs in style sheet imports. Aside from this, attacks can also be prevented by implementing all of the following defensive measures: </p>
<ul><li>Setting the HTTP response header "X-Frame-Options: deny" in all responses. One method that an attacker can use to make a page render in quirks mode is to frame it within their own page that is rendered in quirks mode. Setting this header prevents the page from being framed.</li><li>Setting a modern doctype (e.g. "&lt;!doctype html&gt;") in all HTML responses. This prevents the page from being rendered in quirks mode (unless it is being framed, as described above).</li>
<li>Setting the HTTP response header "X-Content-Type-Options: nosniff" in all responses. This prevents the browser from processing a non-CSS response as CSS, even if another page loads the response via a style sheet import.</li></ul></span>
<h2>References</h2>
<span class="TEXT"><ul><li><a href="http://blog.portswigger.net/2015/02/prssi.html">Detecting and exploiting path-relative stylesheet import (PRSSI) vulnerabilities</a></li></ul></span>
<h2>Vulnerability classifications</h2><span class="TEXT"><ul>
<li><a href="https://cwe.mitre.org/data/definitions/16.html">CWE-16: Configuration</a></li>
</ul></span>
<h2>Request 1</h2>
<div class="rr_div"><span>GET /login.php HTTP/1.1<br>Host: 121.196.62.22:8082<br>Accept-Encoding: gzip, deflate<br>Accept: */*<br>Accept-Language: en-US,en-GB;q=0.9,en;q=0.8<br>User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.122 Safari/537.36<br>Connection: close<br>Cache-Control: max-age=0<br>Referer: http://121.196.62.22:8082/<br>Cookie: PHPSESSID=mgh8huirci5j8siqm961tniln0; security=impossible<br><br></span></div>
<h2>Response 1</h2>
<div class="rr_div"><span>HTTP/1.1 200 OK<br>Date: Fri, 22 Sep 2023 12:31:26 GMT<br>Server: Apache/2.4.10 (Debian)<br>Expires: Tue, 23 Jun 2009 12:00:00 GMT<br>Cache-Control: no-cache, must-revalidate<br>Pragma: no-cache<br>Vary: Accept-Encoding<br>Content-Length: 1523<br>Connection: close<br>Content-Type: text/html;charset=utf-8<br><br><br>&lt;!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"&gt;<br><br>&lt;html xmlns="http://www.w3.org/1999/xhtml"&gt;<br><br> &nbsp;&nbsp;&nbsp;&lt;head&gt;<br><br> &nbsp;&nbsp;&nbsp; &nbsp;&nbsp;&nbsp;&lt;meta http-equiv="Content<br><b>...[SNIP]...</b><br>&lt;/title&gt;<br><br> &nbsp;&nbsp;&nbsp; &nbsp;&nbsp;&nbsp;<span class="HIGHLIGHT">&lt;link rel="stylesheet" type="text/css" href="dvwa/css/login.css" /&gt;</span><br><br> &nbsp;&nbsp;&nbsp;&lt;/head&gt;<br><b>...[SNIP]...</b><br></span></div>
<h2>Request 2</h2>
<div class="rr_div"><span>GET /login.php<span class="HIGHLIGHT">/j3lqre/</span> HTTP/1.1<br>Host: 121.196.62.22:8082<br>Accept-Encoding: gzip, deflate<br>Accept: */*<br>Accept-Language: en-US,en-GB;q=0.9,en;q=0.8<br>User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.122 Safari/537.36<br>Connection: close<br>Cache-Control: max-age=0<br>Referer: http://121.196.62.22:8082/<br>Cookie: PHPSESSID=0jsbuvfamf5pjic1m567mmt0a1; security=impossible<br><br></span></div>
<h2>Response 2</h2>
<div class="rr_div"><span>HTTP/1.1 200 OK<br>Date: Fri, 22 Sep 2023 12:37:03 GMT<br>Server: Apache/2.4.10 (Debian)<br>Expires: Tue, 23 Jun 2009 12:00:00 GMT<br>Cache-Control: no-cache, must-revalidate<br>Pragma: no-cache<br>Vary: Accept-Encoding<br>Content-Length: 1523<br>Connection: close<br>Content-Type: text/html;charset=utf-8<br><br><br>&lt;!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"&gt;<br><br>&lt;html xmlns="http://www.w3.org/1999/xhtml"&gt;<br><br> &nbsp;&nbsp;&nbsp;&lt;head&gt;<br><br> &nbsp;&nbsp;&nbsp; &nbsp;&nbsp;&nbsp;&lt;meta http-equiv="Content<br><b>...[SNIP]...</b><br>&lt;/title&gt;<br><br> &nbsp;&nbsp;&nbsp; &nbsp;&nbsp;&nbsp;<span class="HIGHLIGHT">&lt;link rel="stylesheet" type="text/css" href="dvwa/css/login.css" /&gt;</span><br><br> &nbsp;&nbsp;&nbsp;&lt;/head&gt;<br><b>...[SNIP]...</b><br></span></div>
<h2>Request 3</h2>
<div class="rr_div"><span>GET <span class="HIGHLIGHT">/login.php/j3lqre/dvwa/css/login.css</span> HTTP/1.1<br>Host: 121.196.62.22:8082<br>Accept-Encoding: gzip, deflate<br>Accept: */*<br>Accept-Language: en-US,en-GB;q=0.9,en;q=0.8<br>User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.122 Safari/537.36<br>Connection: close<br>Cache-Control: max-age=0<br>Referer: http://121.196.62.22:8082/<br>Cookie: PHPSESSID=ppifsjai1e275u7p7mvpttfka2; security=impossible<br><br></span></div>
<h2>Response 3</h2>
<div class="rr_div"><span>HTTP/1.1 200 OK<br>Date: Fri, 22 Sep 2023 12:37:03 GMT<br>Server: Apache/2.4.10 (Debian)<br>Expires: Tue, 23 Jun 2009 12:00:00 GMT<br>Cache-Control: no-cache, must-revalidate<br>Pragma: no-cache<br>Vary: Accept-Encoding<br>Content-Length: 1523<br>Connection: close<br>Content-Type: text/html;charset=utf-8<br><br><br>&lt;!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"&gt;<br><br>&lt;html xmlns="http://www.w3.org/1999/xhtml"&gt;<br><br> &nbsp;&nbsp;&nbsp;&lt;head&gt;<br><br> &nbsp;&nbsp;&nbsp; &nbsp;&nbsp;&nbsp;&lt;meta http-equiv="Content<br><b>...[SNIP]...</b><br></span></div>
<div class="rule"></div>
<span class="BODH0" id="6">6.&nbsp;<a href="https://portswigger.net/knowledgebase/issues/details/00400c00_inputreturnedinresponsereflected">Input returned in response (reflected)</a></span>
<br><a class="PREVNEXT" href="#5">Previous</a>
&nbsp;<a class="PREVNEXT" href="#7">Next</a>
<br>
<br><span class="TEXT">There are 4 instances of this issue:
<ul>
<li><a href="#6.1">/ [name of an arbitrarily supplied URL parameter]</a></li>
<li><a href="#6.2">/login.php [URL path filename]</a></li>
<li><a href="#6.3">/login.php [name of an arbitrarily supplied URL parameter]</a></li>
<li><a href="#6.4">/robots.txt [URL path filename]</a></li>
</ul></span>
<h2>Issue background</h2>
<span class="TEXT"><p>Reflection of input arises when data is copied from a request and echoed into the application's immediate response.</p><p>Input being returned in application responses is not a vulnerability in its own right. However, it is a prerequisite for many client-side vulnerabilities, including cross-site scripting, open redirection, content spoofing, and response header injection. Additionally, some server-side vulnerabilities such as SQL injection are often easier to identify and exploit when input is returned in responses. In applications where input retrieval is rare and the environment is resistant to automated testing (for example, due to a web application firewall), it might be worth subjecting instances of it to focused manual testing. </p></span>
<h2>Vulnerability classifications</h2><span class="TEXT"><ul>
<li><a href="https://cwe.mitre.org/data/definitions/20.html">CWE-20: Improper Input Validation</a></li>
<li><a href="https://cwe.mitre.org/data/definitions/116.html">CWE-116: Improper Encoding or Escaping of Output</a></li>
</ul></span>
<br><br><div class="rule"></div>
<span class="BODH1" id="6.1">6.1.&nbsp;http://121.196.62.22:8082/ [name of an arbitrarily supplied URL parameter]</span>
<br><a class="PREVNEXT" href="#3.2">Previous</a>
&nbsp;<a class="PREVNEXT" href="#6.2">Next</a>
<br>
<h2>Summary</h2>
<table cellpadding="0" cellspacing="0" class="summary_table">
<tr>
<td rowspan="4" class="icon" valign="top" align="center"><div class='scan_issue_info_certain_rpt'></div></td>
<td>Severity:&nbsp;&nbsp;</td>
<td><b>Information</b></td>
</tr>
<tr>
<td>Confidence:&nbsp;&nbsp;</td>
<td><b>Certain</b></td>
</tr>
<tr>
<td>Host:&nbsp;&nbsp;</td>
<td><b>http://121.196.62.22:8082</b></td>
</tr>
<tr>
<td>Path:&nbsp;&nbsp;</td>
<td><b>/</b></td>
</tr>
</table>
<h2>Issue detail</h2>
<span class="TEXT">The name of an arbitrarily supplied URL parameter is copied into the application's response.</span>
<h2>Request 1</h2>
<div class="rr_div"><span>GET /login.php/<span class="HIGHLIGHT">'%22%3e%3csvg%2fonload%3dfetch%60%2f%2f49bf9pa87anvz7jywee9f9tpxg39r1ft5hz4qsf%5c.burpcollaborator.net%60%3e</span> HTTP/1.1<br>Host: 121.196.62.22:8082<br>Accept-Encoding: gzip, deflate<br>Accept: */*<br>Accept-Language: en-US,en-GB;q=0.9,en;q=0.8<br>User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.122 Safari/537.36<br>Connection: close<br>Cache-Control: max-age=0<br>Referer: http://121.196.62.22:8082/<br>Cookie: PHPSESSID=e7msn7mo4jh1odlf9m1tqjane2; security=impossible<br><br></span></div>
<h2>Response 1</h2>
<div class="rr_div"><span>HTTP/1.1 404 Not Found<br>Date: Fri, 22 Sep 2023 12:41:03 GMT<br>Server: Apache/2.4.10 (Debian)<br>Content-Length: 389<br>Connection: close<br>Content-Type: text/html; charset=iso-8859-1<br><br>&lt;!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"&gt;<br>&lt;html&gt;&lt;head&gt;<br>&lt;title&gt;404 Not Found&lt;/title&gt;<br>&lt;/head&gt;&lt;body&gt;<br>&lt;h1&gt;Not Found&lt;/h1&gt;<br>&lt;p&gt;The requested URL /login.php/<span class="HIGHLIGHT">'&amp;quot;&amp;gt;&amp;lt;svg/onload=fetch`//49bf9pa87anvz7jywee9f9tpxg39r1ft5hz4qsf\.burpcollaborator.net`&amp;gt;</span> was not found on this server.&lt;/p&gt;<br><b>...[SNIP]...</b><br></span></div>
<div class="rule"></div>
<span class="BODH1" id="6.2">6.2.&nbsp;http://121.196.62.22:8082/login.php [URL path filename]</span>
<br><a class="PREVNEXT" href="#6.1">Previous</a>
&nbsp;<a class="PREVNEXT" href="#6.3">Next</a>
<br>
<h2>Summary</h2>
<table cellpadding="0" cellspacing="0" class="summary_table">
<tr>
<td rowspan="4" class="icon" valign="top" align="center"><div class='scan_issue_info_certain_rpt'></div></td>
<td>Severity:&nbsp;&nbsp;</td>
<td><b>Information</b></td>
</tr>
<tr>
<td>Confidence:&nbsp;&nbsp;</td>
<td><b>Certain</b></td>
</tr>
<tr>
<td>Host:&nbsp;&nbsp;</td>
<td><b>http://121.196.62.22:8082</b></td>
</tr>
<tr>
<td>Path:&nbsp;&nbsp;</td>
<td><b>/login.php</b></td>
</tr>
</table>
<h2>Issue detail</h2>
<span class="TEXT">The value of the URL path filename is copied into the application's response.</span>
<h2>Request 1</h2>
<div class="rr_div"><span>GET /login.php<span class="HIGHLIGHT">rpqwvtfkpj</span> HTTP/1.1<br>Host: 121.196.62.22:8082<br>Accept-Encoding: gzip, deflate<br>Accept: */*<br>Accept-Language: en-US,en-GB;q=0.9,en;q=0.8<br>User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.122 Safari/537.36<br>Connection: close<br>Cache-Control: max-age=0<br>Referer: http://121.196.62.22:8082/<br>Cookie: PHPSESSID=l9308vp0dfo348hoqkqbhidg26; security=impossible<br><br></span></div>
<h2>Response 1</h2>
<div class="rr_div"><span>HTTP/1.1 404 Not Found<br>Date: Fri, 22 Sep 2023 12:35:38 GMT<br>Server: Apache/2.4.10 (Debian)<br>Content-Length: 298<br>Connection: close<br>Content-Type: text/html; charset=iso-8859-1<br><br>&lt;!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"&gt;<br>&lt;html&gt;&lt;head&gt;<br>&lt;title&gt;404 Not Found&lt;/title&gt;<br>&lt;/head&gt;&lt;body&gt;<br>&lt;h1&gt;Not Found&lt;/h1&gt;<br>&lt;p&gt;The requested URL /login.php<span class="HIGHLIGHT">rpqwvtfkpj</span> was not found on this server.&lt;/p&gt;<br><b>...[SNIP]...</b><br></span></div>
<div class="rule"></div>
<span class="BODH1" id="6.3">6.3.&nbsp;http://121.196.62.22:8082/login.php [name of an arbitrarily supplied URL parameter]</span>
<br><a class="PREVNEXT" href="#6.2">Previous</a>
&nbsp;<a class="PREVNEXT" href="#6.4">Next</a>
<br>
<h2>Summary</h2>
<table cellpadding="0" cellspacing="0" class="summary_table">
<tr>
<td rowspan="4" class="icon" valign="top" align="center"><div class='scan_issue_info_certain_rpt'></div></td>
<td>Severity:&nbsp;&nbsp;</td>
<td><b>Information</b></td>
</tr>
<tr>
<td>Confidence:&nbsp;&nbsp;</td>
<td><b>Certain</b></td>
</tr>
<tr>
<td>Host:&nbsp;&nbsp;</td>
<td><b>http://121.196.62.22:8082</b></td>
</tr>
<tr>
<td>Path:&nbsp;&nbsp;</td>
<td><b>/login.php</b></td>
</tr>
</table>
<h2>Issue detail</h2>
<span class="TEXT">The name of an arbitrarily supplied URL parameter is copied into the application's response.</span>
<h2>Request 1</h2>
<div class="rr_div"><span>POST /login.php/<span class="HIGHLIGHT">'%22%3e%3csvg%2fonload%3dfetch%60%2f%2flpewp6qpnr3cfozfcvuqvq96dxjq7kvcl0fn7bw%5c.burpcollaborator.net%60%3e</span> HTTP/1.1<br>Host: 121.196.62.22:8082<br>Accept-Encoding: gzip, deflate<br>Accept: */*<br>Accept-Language: en-US,en-GB;q=0.9,en;q=0.8<br>User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.122 Safari/537.36<br>Connection: close<br>Cache-Control: max-age=0<br>Referer: http://121.196.62.22:8082/login.php<br>Content-Type: application/x-www-form-urlencoded<br>Content-Length: 97<br>Cookie: PHPSESSID=j55aqokfkhr7vsrhbdoedl2h55; security=impossible<br><br>username=umGXdeYZ&amp;password=k0D%21l7r%21N2&amp;Login=Login&amp;user_token=8fe72528de0db14a27bc60ddc925355e</span></div>
<h2>Response 1</h2>
<div class="rr_div"><span>HTTP/1.1 404 Not Found<br>Date: Fri, 22 Sep 2023 12:41:11 GMT<br>Server: Apache/2.4.10 (Debian)<br>Content-Length: 389<br>Connection: close<br>Content-Type: text/html; charset=iso-8859-1<br><br>&lt;!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"&gt;<br>&lt;html&gt;&lt;head&gt;<br>&lt;title&gt;404 Not Found&lt;/title&gt;<br>&lt;/head&gt;&lt;body&gt;<br>&lt;h1&gt;Not Found&lt;/h1&gt;<br>&lt;p&gt;The requested URL /login.php/<span class="HIGHLIGHT">'&amp;quot;&amp;gt;&amp;lt;svg/onload=fetch`//lpewp6qpnr3cfozfcvuqvq96dxjq7kvcl0fn7bw\.burpcollaborator.net`&amp;gt;</span> was not found on this server.&lt;/p&gt;<br><b>...[SNIP]...</b><br></span></div>
<div class="rule"></div>
<span class="BODH1" id="6.4">6.4.&nbsp;http://121.196.62.22:8082/robots.txt [URL path filename]</span>
<br><a class="PREVNEXT" href="#6.3">Previous</a>
&nbsp;<a class="PREVNEXT" href="#10.1">Next</a>
<br>
<h2>Summary</h2>
<table cellpadding="0" cellspacing="0" class="summary_table">
<tr>
<td rowspan="4" class="icon" valign="top" align="center"><div class='scan_issue_info_certain_rpt'></div></td>
<td>Severity:&nbsp;&nbsp;</td>
<td><b>Information</b></td>
</tr>
<tr>
<td>Confidence:&nbsp;&nbsp;</td>
<td><b>Certain</b></td>
</tr>
<tr>
<td>Host:&nbsp;&nbsp;</td>
<td><b>http://121.196.62.22:8082</b></td>
</tr>
<tr>
<td>Path:&nbsp;&nbsp;</td>
<td><b>/robots.txt</b></td>
</tr>
</table>
<h2>Issue detail</h2>
<span class="TEXT">The value of the URL path filename is copied into the application's response.</span>
<h2>Request 1</h2>
<div class="rr_div"><span>GET /robots.txt<span class="HIGHLIGHT">hzg6m8dpz4</span> HTTP/1.1<br>Host: 121.196.62.22:8082<br>Accept-Encoding: gzip, deflate<br>Accept: */*<br>Accept-Language: en-US,en-GB;q=0.9,en;q=0.8<br>User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.122 Safari/537.36<br>Connection: close<br>Cache-Control: max-age=0<br><br></span></div>
<h2>Response 1</h2>
<div class="rr_div"><span>HTTP/1.1 404 Not Found<br>Date: Fri, 22 Sep 2023 12:32:13 GMT<br>Server: Apache/2.4.10 (Debian)<br>Content-Length: 299<br>Connection: close<br>Content-Type: text/html; charset=iso-8859-1<br><br>&lt;!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"&gt;<br>&lt;html&gt;&lt;head&gt;<br>&lt;title&gt;404 Not Found&lt;/title&gt;<br>&lt;/head&gt;&lt;body&gt;<br>&lt;h1&gt;Not Found&lt;/h1&gt;<br>&lt;p&gt;The requested URL /robots.txt<span class="HIGHLIGHT">hzg6m8dpz4</span> was not found on this server.&lt;/p&gt;<br><b>...[SNIP]...</b><br></span></div>
<div class="rule"></div>
<span class="BODH0" id="7">7.&nbsp;<a href="https://portswigger.net/knowledgebase/issues/details/00500400_crossdomainrefererleakage">Cross-domain Referer leakage</a></span>
<br><a class="PREVNEXT" href="#6">Previous</a>
&nbsp;<a class="PREVNEXT" href="#8">Next</a>
<br>
<h2>Summary</h2>
<table cellpadding="0" cellspacing="0" class="summary_table">
<tr>
<td rowspan="4" class="icon" valign="top" align="center"><div class='scan_issue_info_certain_rpt'></div></td>
<td>Severity:&nbsp;&nbsp;</td>
<td><b>Information</b></td>
</tr>
<tr>
<td>Confidence:&nbsp;&nbsp;</td>
<td><b>Certain</b></td>
</tr>
<tr>
<td>Host:&nbsp;&nbsp;</td>
<td><b>http://121.196.62.22:8082</b></td>
</tr>
<tr>
<td>Path:&nbsp;&nbsp;</td>
<td><b>/vulnerabilities/fi/</b></td>
</tr>
</table>
<h2>Issue detail</h2>
<span class="TEXT">The page was loaded from a URL containing a query string:<ul><li>http://121.196.62.22:8082/vulnerabilities/fi/</li></ul>The response contains the following links to other domains:<ul><li>https://en.wikipedia.org/wiki/Remote_File_Inclusion</li><li>https://www.owasp.org/index.php/Top_10_2007-A3</li></ul></span>
<h2>Issue background</h2>
<span class="TEXT"><p>When a web browser makes a request for a resource, it typically adds an HTTP header, called the "Referer" header, indicating the URL of the resource from which the request originated. This occurs in numerous situations, for example when a web page loads an image or script, or when a user clicks on a link or submits a form.</p>
<p>If the resource being requested resides on a different domain, then the Referer header is still generally included in the cross-domain request. If the originating URL contains any sensitive information within its query string, such as a session token, then this information will be transmitted to the other domain. If the other domain is not fully trusted by the application, then this may lead to a security compromise.</p>
<p>You should review the contents of the information being transmitted to other domains, and also determine whether those domains are fully trusted by the originating application.</p>
<p>Today's browsers may withhold the Referer header in some situations (for example, when loading a non-HTTPS resource from a page that was loaded over HTTPS, or when a Refresh directive is issued), but this behavior should not be relied upon to protect the originating URL from disclosure.</p>
<p>Note also that if users can author content within the application then an attacker may be able to inject links referring to a domain they control in order to capture data from URLs used within the application. </p></span>
<h2>Issue remediation</h2>
<span class="TEXT"><p>Applications should never transmit any sensitive information within the URL query string. In addition to being leaked in the Referer header, such information may be logged in various locations and may be visible on-screen to untrusted parties. If placing sensitive information in the URL is unavoidable, consider using the Referer-Policy HTTP header to reduce the chance of it being disclosed to third parties.
</p></span>
<h2>References</h2>
<span class="TEXT"><ul>
<li><a href="https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Referrer-Policy">Referer Policy</a></li>
</ul></span>
<h2>Vulnerability classifications</h2><span class="TEXT"><ul>
<li><a href="https://cwe.mitre.org/data/definitions/200.html">CWE-200: Information Exposure</a></li>
</ul></span>
<h2>Request 1</h2>
<div class="rr_div"><span>GET /vulnerabilities/fi/?page=include.php HTTP/1.1<br>Host: 121.196.62.22:8082<br>User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/117.0<br>Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8<br>Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2<br>Accept-Encoding: gzip, deflate<br>Referer: http://121.196.62.22:8082/vulnerabilities/csrf/<br>Upgrade-Insecure-Requests: 1<br>Connection: close<br>Cookie: PHPSESSID=ki3897hcdl1quu4eok36fucfa7; security=impossible<br><br></span></div>
<h2>Response 1</h2>
<div class="rr_div"><span>HTTP/1.1 200 OK<br>Date: Fri, 22 Sep 2023 13:03:13 GMT<br>Server: Apache/2.4.10 (Debian)<br>Expires: Tue, 23 Jun 2009 12:00:00 GMT<br>Cache-Control: no-cache, must-revalidate<br>Pragma: no-cache<br>Vary: Accept-Encoding<br>Content-Length: 4414<br>Connection: close<br>Content-Type: text/html;charset=utf-8<br><br><br>&lt;!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"&gt;<br><br>&lt;html xmlns="http://www.w3.org/1999/xhtml"&gt;<br><br> &nbsp;&nbsp;&nbsp;&lt;head&gt;<br> &nbsp;&nbsp;&nbsp; &nbsp;&nbsp;&nbsp;&lt;meta http-equiv="Content-T<br><b>...[SNIP]...</b><br>&lt;li&gt;<span class="HIGHLIGHT">&lt;a href="https://en.wikipedia.org/wiki/Remote_File_Inclusion" target="_blank"&gt;</span>https://en.wikipedia.org/wiki/Remote_File_Inclusion&lt;/a&gt;<br><b>...[SNIP]...</b><br>&lt;li&gt;<span class="HIGHLIGHT">&lt;a href="https://www.owasp.org/index.php/Top_10_2007-A3" target="_blank"&gt;</span>https://www.owasp.org/index.php/Top_10_2007-A3&lt;/a&gt;<br><b>...[SNIP]...</b><br></span></div>
<div class="rule"></div>
<span class="BODH0" id="8">8.&nbsp;<a href="https://portswigger.net/knowledgebase/issues/details/00500500_crossdomainscriptinclude">Cross-domain script include</a></span>
<br><a class="PREVNEXT" href="#7">Previous</a>
&nbsp;<a class="PREVNEXT" href="#9">Next</a>
<br>
<h2>Summary</h2>
<table cellpadding="0" cellspacing="0" class="summary_table">
<tr>
<td rowspan="4" class="icon" valign="top" align="center"><div class='scan_issue_info_certain_rpt'></div></td>
<td>Severity:&nbsp;&nbsp;</td>
<td><b>Information</b></td>
</tr>
<tr>
<td>Confidence:&nbsp;&nbsp;</td>
<td><b>Certain</b></td>
</tr>
<tr>
<td>Host:&nbsp;&nbsp;</td>
<td><b>http://121.196.62.22:8082</b></td>
</tr>
<tr>
<td>Path:&nbsp;&nbsp;</td>
<td><b>/vulnerabilities/captcha/</b></td>
</tr>
</table>
<h2>Issue detail</h2>
<span class="TEXT">The response dynamically includes the following script from another domain:<ul><li>http://www.google.com/recaptcha/api/challenge?k=</li></ul></span>
<h2>Issue background</h2>
<span class="TEXT"><p>When an application includes a script from an external domain, this script is executed by the browser within the security context of the invoking application. The script can therefore do anything that the application's own scripts can do, such as accessing application data and performing actions within the context of the current user.</p>
<p>If you include a script from an external domain, then you are trusting that domain with the data and functionality of your application, and you are trusting the domain's own security to prevent an attacker from modifying the script to perform malicious actions within your application. </p></span>
<h2>Issue remediation</h2>
<span class="TEXT"><p>Scripts should ideally not be included from untrusted domains. Applications that rely on static third-party scripts should consider using Subresource Integrity to make browsers verify them, or copying the contents of these scripts onto their own domain and including them from there. If that is not possible (e.g. for licensing reasons) then consider reimplementing the script's functionality within application code.</p></span>
<h2>References</h2>
<span class="TEXT"><ul>
<li>
<a href="https://developer.mozilla.org/en-US/docs/Web/Security/Subresource_Integrity">Subresource Integrity</a>
</li>
</ul></span>
<h2>Vulnerability classifications</h2><span class="TEXT"><ul>
<li><a href="https://cwe.mitre.org/data/definitions/829.html">CWE-829: Inclusion of Functionality from Untrusted Control Sphere</a></li>
</ul></span>
<h2>Request 1</h2>
<div class="rr_div"><span>GET /vulnerabilities/captcha/ HTTP/1.1<br>Host: 121.196.62.22:8082<br>User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/117.0<br>Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8<br>Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2<br>Accept-Encoding: gzip, deflate<br>Referer: http://121.196.62.22:8082/vulnerabilities/upload/<br>Upgrade-Insecure-Requests: 1<br>Connection: close<br>Cookie: PHPSESSID=ki3897hcdl1quu4eok36fucfa7; security=impossible<br><br></span></div>
<h2>Response 1</h2>
<div class="rr_div"><span>HTTP/1.1 200 OK<br>Date: Fri, 22 Sep 2023 13:03:40 GMT<br>Server: Apache/2.4.10 (Debian)<br>Expires: Tue, 23 Jun 2009 12:00:00 GMT<br>Cache-Control: no-cache, must-revalidate<br>Pragma: no-cache<br>Vary: Accept-Encoding<br>Content-Length: 5693<br>Connection: close<br>Content-Type: text/html;charset=utf-8<br><br><br>&lt;!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"&gt;<br><br>&lt;html xmlns="http://www.w3.org/1999/xhtml"&gt;<br><br> &nbsp;&nbsp;&nbsp;&lt;head&gt;<br> &nbsp;&nbsp;&nbsp; &nbsp;&nbsp;&nbsp;&lt;meta http-equiv="Content-T<br><b>...[SNIP]...</b><br>&lt;br /&gt;<br><br> &nbsp;&nbsp;&nbsp; &nbsp;&nbsp;&nbsp; &nbsp;&nbsp;&nbsp;<span class="HIGHLIGHT">&lt;script type="text/javascript" src="http://www.google.com/recaptcha/api/challenge?k="&gt;</span>&lt;/script&gt;<br><b>...[SNIP]...</b><br></span></div>
<div class="rule"></div>
<span class="BODH0" id="9">9.&nbsp;<a href="https://portswigger.net/knowledgebase/issues/details/00500980_fileuploadfunctionality">File upload functionality</a></span>
<br><a class="PREVNEXT" href="#8">Previous</a>
&nbsp;<a class="PREVNEXT" href="#10">Next</a>
<br>
<h2>Summary</h2>
<table cellpadding="0" cellspacing="0" class="summary_table">
<tr>
<td rowspan="4" class="icon" valign="top" align="center"><div class='scan_issue_info_certain_rpt'></div></td>
<td>Severity:&nbsp;&nbsp;</td>
<td><b>Information</b></td>
</tr>
<tr>
<td>Confidence:&nbsp;&nbsp;</td>
<td><b>Certain</b></td>
</tr>
<tr>
<td>Host:&nbsp;&nbsp;</td>
<td><b>http://121.196.62.22:8082</b></td>
</tr>
<tr>
<td>Path:&nbsp;&nbsp;</td>
<td><b>/vulnerabilities/upload/</b></td>
</tr>
</table>
<h2>Issue detail</h2>
<span class="TEXT">The page contains a form which is used to submit a user-supplied file to the following URL:<ul><li>http://121.196.62.22:8082/vulnerabilities/upload/</li></ul>Note that Burp has not identified any specific security vulnerabilities with this functionality, and you should manually review it to determine whether any problems exist.</span>
<h2>Issue background</h2>
<span class="TEXT"><p>File upload functionality is commonly associated with a number of vulnerabilities, including:</p>
<ul>
<li>File path traversal</li><li>Persistent cross-site scripting</li><li>Placing of other client-executable code into the domain</li><li>Transmission of viruses and other malware</li><li>Denial of service</li></ul>
<p>You should review file upload functionality to understand its purpose, and establish whether uploaded content is ever returned to other application users, either through their normal usage of the application or by being fed a specific link by an attacker.</p>
<p>Some factors to consider when evaluating the security impact of this functionality include:</p>
<ul>
<li>Whether uploaded content can subsequently be downloaded via a URL within the application.</li><li>What Content-type and Content-disposition headers the application returns when the file's content is downloaded.</li><li>Whether it is possible to place executable HTML/JavaScript into the file, which executes when the file's contents are viewed.</li><li>Whether the application performs any filtering on the file extension or MIME type of the uploaded file.</li><li>Whether it is possible to construct a hybrid file containing both executable and non-executable content, to bypass any content filters - for example, a file containing both a GIF image and a Java archive (known as a GIFAR file).</li><li>What location is used to store uploaded content, and whether it is possible to supply a crafted filename to escape from this location.</li><li>Whether archive formats such as ZIP are unpacked by the application.</li><li>How the application handles attempts to upload very large files, or decompression bomb files.</li></ul></span>
<h2>Issue remediation</h2>
<span class="TEXT"><p>File upload functionality is not straightforward to implement securely. Some recommendations to consider in the design of this functionality include:</p>
<ul>
<li>Use a server-generated filename if storing uploaded files on disk.</li><li>Inspect the content of uploaded files, and enforce a whitelist of accepted, non-executable content types. Additionally, enforce a blacklist of common executable formats, to hinder hybrid file attacks.</li><li>Enforce a whitelist of accepted, non-executable file extensions.</li>
<li>If uploaded files are downloaded by users, supply an accurate non-generic Content-Type header, the X-Content-Type-Options: nosniff header, and also a Content-Disposition header that specifies that browsers should handle the file as an attachment.</li>
<li>Enforce a size limit on uploaded files (for defense-in-depth, this can be implemented both within application code and in the web server's configuration).</li><li>Reject attempts to upload archive formats such as ZIP.</li></ul></span>
<h2>References</h2>
<span class="TEXT"><ul><li><a href="https://github.com/cure53/H5SC/tree/master/attachments">Various proof-of-concept files</a></li>
<li><a href="http://labs.detectify.com/post/120088174539/building-an-xss-polyglot-through-swf-and-csp">An XSS polyglot attack</a></li>
</ul></span>
<h2>Vulnerability classifications</h2><span class="TEXT"><ul>
<li><a href="https://cwe.mitre.org/data/definitions/434.html">CWE-434: Unrestricted Upload of File with Dangerous Type</a></li>
</ul></span>
<h2>Request 1</h2>
<div class="rr_div"><span>GET /vulnerabilities/upload/ HTTP/1.1<br>Host: 121.196.62.22:8082<br>User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/117.0<br>Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8<br>Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2<br>Accept-Encoding: gzip, deflate<br>Referer: http://121.196.62.22:8082/vulnerabilities/fi/?page=include.php<br>Upgrade-Insecure-Requests: 1<br>Connection: close<br>Cookie: PHPSESSID=ki3897hcdl1quu4eok36fucfa7; security=impossible<br><br></span></div>
<h2>Response 1</h2>
<div class="rr_div"><span>HTTP/1.1 200 OK<br>Date: Fri, 22 Sep 2023 13:03:19 GMT<br>Server: Apache/2.4.10 (Debian)<br>Expires: Tue, 23 Jun 2009 12:00:00 GMT<br>Cache-Control: no-cache, must-revalidate<br>Pragma: no-cache<br>Vary: Accept-Encoding<br>Content-Length: 4832<br>Connection: close<br>Content-Type: text/html;charset=utf-8<br><br><br>&lt;!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"&gt;<br><br>&lt;html xmlns="http://www.w3.org/1999/xhtml"&gt;<br><br> &nbsp;&nbsp;&nbsp;&lt;head&gt;<br> &nbsp;&nbsp;&nbsp; &nbsp;&nbsp;&nbsp;&lt;meta http-equiv="Content-T<br><b>...[SNIP]...</b><br>&lt;br /&gt;<br> &nbsp;&nbsp;&nbsp; &nbsp;&nbsp;&nbsp; &nbsp;&nbsp;&nbsp;<span class="HIGHLIGHT">&lt;input name="uploaded" type="file" /&gt;</span>&lt;br /&gt;<br><b>...[SNIP]...</b><br></span></div>
<div class="rule"></div>
<span class="BODH0" id="10">10.&nbsp;<a href="https://portswigger.net/knowledgebase/issues/details/005009a0_frameableresponsepotentialclickjacking">Frameable response (potential Clickjacking)</a></span>
<br><a class="PREVNEXT" href="#9">Previous</a>
&nbsp;<a class="PREVNEXT" href="#11">Next</a>
<br>
<br><span class="TEXT">There are 10 instances of this issue:
<ul>
<li><a href="#10.1">/</a></li>
<li><a href="#10.2">/index.php</a></li>
<li><a href="#10.3">/login.php</a></li>
<li><a href="#10.4">/vulnerabilities/brute/</a></li>
<li><a href="#10.5">/vulnerabilities/captcha/</a></li>
<li><a href="#10.6">/vulnerabilities/csrf/</a></li>
<li><a href="#10.7">/vulnerabilities/exec/</a></li>
<li><a href="#10.8">/vulnerabilities/fi/</a></li>
<li><a href="#10.9">/vulnerabilities/sqli/</a></li>
<li><a href="#10.10">/vulnerabilities/upload/</a></li>
</ul></span>
<h2>Issue background</h2>
<span class="TEXT"><p>If a page fails to set an appropriate X-Frame-Options or Content-Security-Policy HTTP header, it might be possible for a page controlled by an attacker to load it within an iframe. This may enable a clickjacking attack, in which the attacker's page overlays the target application's interface with a different interface provided by the attacker. By inducing victim users to perform actions such as mouse clicks and keystrokes, the attacker can cause them to unwittingly carry out actions within the application that is being targeted. This technique allows the attacker to circumvent defenses against cross-site request forgery, and may result in unauthorized actions.</p>
<p>Note that some applications attempt to prevent these attacks from within the HTML page itself, using "framebusting" code. However, this type of defense is normally ineffective and can usually be circumvented by a skilled attacker.</p>
<p>You should determine whether any functions accessible within frameable pages can be used by application users to perform any sensitive actions within the application. </p></span>
<h2>Issue remediation</h2>
<span class="TEXT"><p>To effectively prevent framing attacks, the application should return a response header with the name <b>X-Frame-Options</b> and the value <b>DENY</b> to prevent framing altogether, or the value <b>SAMEORIGIN</b> to allow framing only by pages on the same origin as the response itself. Note that the SAMEORIGIN header can be partially bypassed if the application itself can be made to frame untrusted websites.</p></span>
<h2>References</h2>
<span class="TEXT"><ul><li><a href="https://developer.mozilla.org/en-US/docs/Web/HTTP/X-Frame-Options">X-Frame-Options</a></li></ul></span>
<h2>Vulnerability classifications</h2><span class="TEXT"><ul>
<li><a href="https://cwe.mitre.org/data/definitions/693.html">CWE-693: Protection Mechanism Failure</a></li>
</ul></span>
<br><br><div class="rule"></div>
<span class="BODH1" id="10.1">10.1.&nbsp;http://121.196.62.22:8082/</span>
<br><a class="PREVNEXT" href="#6.4">Previous</a>
&nbsp;<a class="PREVNEXT" href="#10.2">Next</a>
<br>
<h2>Summary</h2>
<table cellpadding="0" cellspacing="0" class="summary_table">
<tr>
<td rowspan="4" class="icon" valign="top" align="center"><div class='scan_issue_info_firm_rpt'></div></td>
<td>Severity:&nbsp;&nbsp;</td>
<td><b>Information</b></td>
</tr>
<tr>
<td>Confidence:&nbsp;&nbsp;</td>
<td><b>Firm</b></td>
</tr>
<tr>
<td>Host:&nbsp;&nbsp;</td>
<td><b>http://121.196.62.22:8082</b></td>
</tr>
<tr>
<td>Path:&nbsp;&nbsp;</td>
<td><b>/</b></td>
</tr>
</table>
<h2>Issue detail</h2>
<span class="TEXT">This issue was found in multiple locations under the reported path.</span>
<h2>Request 1</h2>
<div class="rr_div"><span>GET /vulnerabilities/sqli_blind/ HTTP/1.1<br>Host: 121.196.62.22:8082<br>User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/117.0<br>Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8<br>Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2<br>Accept-Encoding: gzip, deflate<br>Referer: http://121.196.62.22:8082/vulnerabilities/sqli/<br>Upgrade-Insecure-Requests: 1<br>Connection: close<br>Cookie: PHPSESSID=ki3897hcdl1quu4eok36fucfa7; security=impossible<br><br></span></div>
<h2>Response 1</h2>
<div class="rr_div"><span>HTTP/1.1 200 OK<br>Date: Fri, 22 Sep 2023 13:03:55 GMT<br>Server: Apache/2.4.10 (Debian)<br>Expires: Tue, 23 Jun 2009 12:00:00 GMT<br>Cache-Control: no-cache, must-revalidate<br>Pragma: no-cache<br>Vary: Accept-Encoding<br>Content-Length: 5157<br>Connection: close<br>Content-Type: text/html;charset=utf-8<br><br><br>&lt;!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"&gt;<br><br>&lt;html xmlns="http://www.w3.org/1999/xhtml"&gt;<br><br> &nbsp;&nbsp;&nbsp;&lt;head&gt;<br> &nbsp;&nbsp;&nbsp; &nbsp;&nbsp;&nbsp;&lt;meta http-equiv="Content-T<br><b>...[SNIP]...</b><br></span></div>
<div class="rule"></div>
<span class="BODH1" id="10.2">10.2.&nbsp;http://121.196.62.22:8082/index.php</span>
<br><a class="PREVNEXT" href="#10.1">Previous</a>
&nbsp;<a class="PREVNEXT" href="#10.3">Next</a>
<br>
<h2>Summary</h2>
<table cellpadding="0" cellspacing="0" class="summary_table">
<tr>
<td rowspan="4" class="icon" valign="top" align="center"><div class='scan_issue_info_firm_rpt'></div></td>
<td>Severity:&nbsp;&nbsp;</td>
<td><b>Information</b></td>
</tr>
<tr>
<td>Confidence:&nbsp;&nbsp;</td>
<td><b>Firm</b></td>
</tr>
<tr>
<td>Host:&nbsp;&nbsp;</td>
<td><b>http://121.196.62.22:8082</b></td>
</tr>
<tr>
<td>Path:&nbsp;&nbsp;</td>
<td><b>/index.php</b></td>
</tr>
</table>
<h2>Request 1</h2>
<div class="rr_div"><span>GET /index.php HTTP/1.1<br>Host: 121.196.62.22:8082<br>User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/117.0<br>Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8<br>Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2<br>Accept-Encoding: gzip, deflate<br>Referer: http://121.196.62.22:8082/login.php<br>Upgrade-Insecure-Requests: 1<br>Connection: close<br>Cookie: PHPSESSID=ki3897hcdl1quu4eok36fucfa7; security=impossible<br><br></span></div>
<h2>Response 1</h2>
<div class="rr_div"><span>HTTP/1.1 200 OK<br>Date: Fri, 22 Sep 2023 13:02:11 GMT<br>Server: Apache/2.4.10 (Debian)<br>Expires: Tue, 23 Jun 2009 12:00:00 GMT<br>Cache-Control: no-cache, must-revalidate<br>Pragma: no-cache<br>Vary: Accept-Encoding<br>Content-Length: 7274<br>Connection: close<br>Content-Type: text/html;charset=utf-8<br><br><br>&lt;!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"&gt;<br><br>&lt;html xmlns="http://www.w3.org/1999/xhtml"&gt;<br><br> &nbsp;&nbsp;&nbsp;&lt;head&gt;<br> &nbsp;&nbsp;&nbsp; &nbsp;&nbsp;&nbsp;&lt;meta http-equiv="Content-T<br><b>...[SNIP]...</b><br></span></div>
<div class="rule"></div>
<span class="BODH1" id="10.3">10.3.&nbsp;http://121.196.62.22:8082/login.php</span>
<br><a class="PREVNEXT" href="#10.2">Previous</a>
&nbsp;<a class="PREVNEXT" href="#10.4">Next</a>
<br>
<h2>Summary</h2>
<table cellpadding="0" cellspacing="0" class="summary_table">
<tr>
<td rowspan="4" class="icon" valign="top" align="center"><div class='scan_issue_info_firm_rpt'></div></td>
<td>Severity:&nbsp;&nbsp;</td>
<td><b>Information</b></td>
</tr>
<tr>
<td>Confidence:&nbsp;&nbsp;</td>
<td><b>Firm</b></td>
</tr>
<tr>
<td>Host:&nbsp;&nbsp;</td>
<td><b>http://121.196.62.22:8082</b></td>
</tr>
<tr>
<td>Path:&nbsp;&nbsp;</td>
<td><b>/login.php</b></td>
</tr>
</table>
<h2>Request 1</h2>
<div class="rr_div"><span>GET /login.php HTTP/1.1<br>Host: 121.196.62.22:8082<br>User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/117.0<br>Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8<br>Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2<br>Accept-Encoding: gzip, deflate<br>Upgrade-Insecure-Requests: 1<br>Connection: close<br>Cookie: PHPSESSID=ki3897hcdl1quu4eok36fucfa7; security=impossible<br><br></span></div>
<h2>Response 1</h2>
<div class="rr_div"><span>HTTP/1.1 200 OK<br>Date: Fri, 22 Sep 2023 13:01:54 GMT<br>Server: Apache/2.4.10 (Debian)<br>Expires: Tue, 23 Jun 2009 12:00:00 GMT<br>Cache-Control: no-cache, must-revalidate<br>Pragma: no-cache<br>Vary: Accept-Encoding<br>Content-Length: 1523<br>Connection: close<br>Content-Type: text/html;charset=utf-8<br><br><br>&lt;!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"&gt;<br><br>&lt;html xmlns="http://www.w3.org/1999/xhtml"&gt;<br><br> &nbsp;&nbsp;&nbsp;&lt;head&gt;<br><br> &nbsp;&nbsp;&nbsp; &nbsp;&nbsp;&nbsp;&lt;meta http-equiv="Content<br><b>...[SNIP]...</b><br></span></div>
<div class="rule"></div>
<span class="BODH1" id="10.4">10.4.&nbsp;http://121.196.62.22:8082/vulnerabilities/brute/</span>
<br><a class="PREVNEXT" href="#10.3">Previous</a>
&nbsp;<a class="PREVNEXT" href="#10.5">Next</a>
<br>
<h2>Summary</h2>
<table cellpadding="0" cellspacing="0" class="summary_table">
<tr>
<td rowspan="4" class="icon" valign="top" align="center"><div class='scan_issue_info_firm_rpt'></div></td>
<td>Severity:&nbsp;&nbsp;</td>
<td><b>Information</b></td>
</tr>
<tr>
<td>Confidence:&nbsp;&nbsp;</td>
<td><b>Firm</b></td>
</tr>
<tr>
<td>Host:&nbsp;&nbsp;</td>
<td><b>http://121.196.62.22:8082</b></td>
</tr>
<tr>
<td>Path:&nbsp;&nbsp;</td>
<td><b>/vulnerabilities/brute/</b></td>
</tr>
</table>
<h2>Request 1</h2>
<div class="rr_div"><span>GET /vulnerabilities/brute/ HTTP/1.1<br>Host: 121.196.62.22:8082<br>User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/117.0<br>Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8<br>Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2<br>Accept-Encoding: gzip, deflate<br>Referer: http://121.196.62.22:8082/index.php<br>Upgrade-Insecure-Requests: 1<br>Connection: close<br>Cookie: PHPSESSID=ki3897hcdl1quu4eok36fucfa7; security=impossible<br><br></span></div>
<h2>Response 1</h2>
<div class="rr_div"><span>HTTP/1.1 200 OK<br>Date: Fri, 22 Sep 2023 13:02:35 GMT<br>Server: Apache/2.4.10 (Debian)<br>Expires: Tue, 23 Jun 2009 12:00:00 GMT<br>Cache-Control: no-cache, must-revalidate<br>Pragma: no-cache<br>Vary: Accept-Encoding<br>Content-Length: 4962<br>Connection: close<br>Content-Type: text/html;charset=utf-8<br><br><br>&lt;!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"&gt;<br><br>&lt;html xmlns="http://www.w3.org/1999/xhtml"&gt;<br><br> &nbsp;&nbsp;&nbsp;&lt;head&gt;<br> &nbsp;&nbsp;&nbsp; &nbsp;&nbsp;&nbsp;&lt;meta http-equiv="Content-T<br><b>...[SNIP]...</b><br></span></div>
<div class="rule"></div>
<span class="BODH1" id="10.5">10.5.&nbsp;http://121.196.62.22:8082/vulnerabilities/captcha/</span>
<br><a class="PREVNEXT" href="#10.4">Previous</a>
&nbsp;<a class="PREVNEXT" href="#10.6">Next</a>
<br>
<h2>Summary</h2>
<table cellpadding="0" cellspacing="0" class="summary_table">
<tr>
<td rowspan="4" class="icon" valign="top" align="center"><div class='scan_issue_info_firm_rpt'></div></td>
<td>Severity:&nbsp;&nbsp;</td>
<td><b>Information</b></td>
</tr>
<tr>
<td>Confidence:&nbsp;&nbsp;</td>
<td><b>Firm</b></td>
</tr>
<tr>
<td>Host:&nbsp;&nbsp;</td>
<td><b>http://121.196.62.22:8082</b></td>
</tr>
<tr>
<td>Path:&nbsp;&nbsp;</td>
<td><b>/vulnerabilities/captcha/</b></td>
</tr>
</table>
<h2>Request 1</h2>
<div class="rr_div"><span>GET /vulnerabilities/captcha/ HTTP/1.1<br>Host: 121.196.62.22:8082<br>User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/117.0<br>Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8<br>Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2<br>Accept-Encoding: gzip, deflate<br>Referer: http://121.196.62.22:8082/vulnerabilities/upload/<br>Upgrade-Insecure-Requests: 1<br>Connection: close<br>Cookie: PHPSESSID=ki3897hcdl1quu4eok36fucfa7; security=impossible<br><br></span></div>
<h2>Response 1</h2>
<div class="rr_div"><span>HTTP/1.1 200 OK<br>Date: Fri, 22 Sep 2023 13:03:40 GMT<br>Server: Apache/2.4.10 (Debian)<br>Expires: Tue, 23 Jun 2009 12:00:00 GMT<br>Cache-Control: no-cache, must-revalidate<br>Pragma: no-cache<br>Vary: Accept-Encoding<br>Content-Length: 5693<br>Connection: close<br>Content-Type: text/html;charset=utf-8<br><br><br>&lt;!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"&gt;<br><br>&lt;html xmlns="http://www.w3.org/1999/xhtml"&gt;<br><br> &nbsp;&nbsp;&nbsp;&lt;head&gt;<br> &nbsp;&nbsp;&nbsp; &nbsp;&nbsp;&nbsp;&lt;meta http-equiv="Content-T<br><b>...[SNIP]...</b><br></span></div>
<div class="rule"></div>
<span class="BODH1" id="10.6">10.6.&nbsp;http://121.196.62.22:8082/vulnerabilities/csrf/</span>
<br><a class="PREVNEXT" href="#10.5">Previous</a>
&nbsp;<a class="PREVNEXT" href="#10.7">Next</a>
<br>
<h2>Summary</h2>
<table cellpadding="0" cellspacing="0" class="summary_table">
<tr>
<td rowspan="4" class="icon" valign="top" align="center"><div class='scan_issue_info_firm_rpt'></div></td>
<td>Severity:&nbsp;&nbsp;</td>
<td><b>Information</b></td>
</tr>
<tr>
<td>Confidence:&nbsp;&nbsp;</td>
<td><b>Firm</b></td>
</tr>
<tr>
<td>Host:&nbsp;&nbsp;</td>
<td><b>http://121.196.62.22:8082</b></td>
</tr>
<tr>
<td>Path:&nbsp;&nbsp;</td>
<td><b>/vulnerabilities/csrf/</b></td>
</tr>
</table>
<h2>Request 1</h2>
<div class="rr_div"><span>GET /vulnerabilities/csrf/ HTTP/1.1<br>Host: 121.196.62.22:8082<br>User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/117.0<br>Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8<br>Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2<br>Accept-Encoding: gzip, deflate<br>Referer: http://121.196.62.22:8082/vulnerabilities/exec/<br>Upgrade-Insecure-Requests: 1<br>Connection: close<br>Cookie: PHPSESSID=ki3897hcdl1quu4eok36fucfa7; security=impossible<br><br></span></div>
<h2>Response 1</h2>
<div class="rr_div"><span>HTTP/1.1 200 OK<br>Date: Fri, 22 Sep 2023 13:03:05 GMT<br>Server: Apache/2.4.10 (Debian)<br>Expires: Tue, 23 Jun 2009 12:00:00 GMT<br>Cache-Control: no-cache, must-revalidate<br>Pragma: no-cache<br>Vary: Accept-Encoding<br>Content-Length: 5012<br>Connection: close<br>Content-Type: text/html;charset=utf-8<br><br><br>&lt;!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"&gt;<br><br>&lt;html xmlns="http://www.w3.org/1999/xhtml"&gt;<br><br> &nbsp;&nbsp;&nbsp;&lt;head&gt;<br> &nbsp;&nbsp;&nbsp; &nbsp;&nbsp;&nbsp;&lt;meta http-equiv="Content-T<br><b>...[SNIP]...</b><br></span></div>
<div class="rule"></div>
<span class="BODH1" id="10.7">10.7.&nbsp;http://121.196.62.22:8082/vulnerabilities/exec/</span>
<br><a class="PREVNEXT" href="#10.6">Previous</a>
&nbsp;<a class="PREVNEXT" href="#10.8">Next</a>
<br>
<h2>Summary</h2>
<table cellpadding="0" cellspacing="0" class="summary_table">
<tr>
<td rowspan="4" class="icon" valign="top" align="center"><div class='scan_issue_info_firm_rpt'></div></td>
<td>Severity:&nbsp;&nbsp;</td>
<td><b>Information</b></td>
</tr>
<tr>
<td>Confidence:&nbsp;&nbsp;</td>
<td><b>Firm</b></td>
</tr>
<tr>
<td>Host:&nbsp;&nbsp;</td>
<td><b>http://121.196.62.22:8082</b></td>
</tr>
<tr>
<td>Path:&nbsp;&nbsp;</td>
<td><b>/vulnerabilities/exec/</b></td>
</tr>
</table>
<h2>Request 1</h2>
<div class="rr_div"><span>GET /vulnerabilities/exec/ HTTP/1.1<br>Host: 121.196.62.22:8082<br>User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/117.0<br>Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8<br>Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2<br>Accept-Encoding: gzip, deflate<br>Referer: http://121.196.62.22:8082/vulnerabilities/brute/<br>Upgrade-Insecure-Requests: 1<br>Connection: close<br>Cookie: PHPSESSID=ki3897hcdl1quu4eok36fucfa7; security=impossible<br><br></span></div>
<h2>Response 1</h2>
<div class="rr_div"><span>HTTP/1.1 200 OK<br>Date: Fri, 22 Sep 2023 13:02:45 GMT<br>Server: Apache/2.4.10 (Debian)<br>Expires: Tue, 23 Jun 2009 12:00:00 GMT<br>Cache-Control: no-cache, must-revalidate<br>Pragma: no-cache<br>Vary: Accept-Encoding<br>Content-Length: 4805<br>Connection: close<br>Content-Type: text/html;charset=utf-8<br><br><br>&lt;!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"&gt;<br><br>&lt;html xmlns="http://www.w3.org/1999/xhtml"&gt;<br><br> &nbsp;&nbsp;&nbsp;&lt;head&gt;<br> &nbsp;&nbsp;&nbsp; &nbsp;&nbsp;&nbsp;&lt;meta http-equiv="Content-T<br><b>...[SNIP]...</b><br></span></div>
<div class="rule"></div>
<span class="BODH1" id="10.8">10.8.&nbsp;http://121.196.62.22:8082/vulnerabilities/fi/</span>
<br><a class="PREVNEXT" href="#10.7">Previous</a>
&nbsp;<a class="PREVNEXT" href="#10.9">Next</a>
<br>
<h2>Summary</h2>
<table cellpadding="0" cellspacing="0" class="summary_table">
<tr>
<td rowspan="4" class="icon" valign="top" align="center"><div class='scan_issue_info_firm_rpt'></div></td>
<td>Severity:&nbsp;&nbsp;</td>
<td><b>Information</b></td>
</tr>
<tr>
<td>Confidence:&nbsp;&nbsp;</td>
<td><b>Firm</b></td>
</tr>
<tr>
<td>Host:&nbsp;&nbsp;</td>
<td><b>http://121.196.62.22:8082</b></td>
</tr>
<tr>
<td>Path:&nbsp;&nbsp;</td>
<td><b>/vulnerabilities/fi/</b></td>
</tr>
</table>
<h2>Request 1</h2>
<div class="rr_div"><span>GET /vulnerabilities/fi/?page=include.php HTTP/1.1<br>Host: 121.196.62.22:8082<br>User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/117.0<br>Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8<br>Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2<br>Accept-Encoding: gzip, deflate<br>Referer: http://121.196.62.22:8082/vulnerabilities/csrf/<br>Upgrade-Insecure-Requests: 1<br>Connection: close<br>Cookie: PHPSESSID=ki3897hcdl1quu4eok36fucfa7; security=impossible<br><br></span></div>
<h2>Response 1</h2>
<div class="rr_div"><span>HTTP/1.1 200 OK<br>Date: Fri, 22 Sep 2023 13:03:13 GMT<br>Server: Apache/2.4.10 (Debian)<br>Expires: Tue, 23 Jun 2009 12:00:00 GMT<br>Cache-Control: no-cache, must-revalidate<br>Pragma: no-cache<br>Vary: Accept-Encoding<br>Content-Length: 4414<br>Connection: close<br>Content-Type: text/html;charset=utf-8<br><br><br>&lt;!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"&gt;<br><br>&lt;html xmlns="http://www.w3.org/1999/xhtml"&gt;<br><br> &nbsp;&nbsp;&nbsp;&lt;head&gt;<br> &nbsp;&nbsp;&nbsp; &nbsp;&nbsp;&nbsp;&lt;meta http-equiv="Content-T<br><b>...[SNIP]...</b><br></span></div>
<div class="rule"></div>
<span class="BODH1" id="10.9">10.9.&nbsp;http://121.196.62.22:8082/vulnerabilities/sqli/</span>
<br><a class="PREVNEXT" href="#10.8">Previous</a>
&nbsp;<a class="PREVNEXT" href="#10.10">Next</a>
<br>
<h2>Summary</h2>
<table cellpadding="0" cellspacing="0" class="summary_table">
<tr>
<td rowspan="4" class="icon" valign="top" align="center"><div class='scan_issue_info_firm_rpt'></div></td>
<td>Severity:&nbsp;&nbsp;</td>
<td><b>Information</b></td>
</tr>
<tr>
<td>Confidence:&nbsp;&nbsp;</td>
<td><b>Firm</b></td>
</tr>
<tr>
<td>Host:&nbsp;&nbsp;</td>
<td><b>http://121.196.62.22:8082</b></td>
</tr>
<tr>
<td>Path:&nbsp;&nbsp;</td>
<td><b>/vulnerabilities/sqli/</b></td>
</tr>
</table>
<h2>Request 1</h2>
<div class="rr_div"><span>GET /vulnerabilities/sqli/ HTTP/1.1<br>Host: 121.196.62.22:8082<br>User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/117.0<br>Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8<br>Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2<br>Accept-Encoding: gzip, deflate<br>Referer: http://121.196.62.22:8082/vulnerabilities/captcha/<br>Upgrade-Insecure-Requests: 1<br>Connection: close<br>Cookie: PHPSESSID=ki3897hcdl1quu4eok36fucfa7; security=impossible<br><br></span></div>
<h2>Response 1</h2>
<div class="rr_div"><span>HTTP/1.1 200 OK<br>Date: Fri, 22 Sep 2023 13:03:49 GMT<br>Server: Apache/2.4.10 (Debian)<br>Expires: Tue, 23 Jun 2009 12:00:00 GMT<br>Cache-Control: no-cache, must-revalidate<br>Pragma: no-cache<br>Vary: Accept-Encoding<br>Content-Length: 5117<br>Connection: close<br>Content-Type: text/html;charset=utf-8<br><br><br>&lt;!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"&gt;<br><br>&lt;html xmlns="http://www.w3.org/1999/xhtml"&gt;<br><br> &nbsp;&nbsp;&nbsp;&lt;head&gt;<br> &nbsp;&nbsp;&nbsp; &nbsp;&nbsp;&nbsp;&lt;meta http-equiv="Content-T<br><b>...[SNIP]...</b><br></span></div>
<div class="rule"></div>
<span class="BODH1" id="10.10">10.10.&nbsp;http://121.196.62.22:8082/vulnerabilities/upload/</span>
<br><a class="PREVNEXT" href="#10.9">Previous</a>
<br>
<h2>Summary</h2>
<table cellpadding="0" cellspacing="0" class="summary_table">
<tr>
<td rowspan="4" class="icon" valign="top" align="center"><div class='scan_issue_info_firm_rpt'></div></td>
<td>Severity:&nbsp;&nbsp;</td>
<td><b>Information</b></td>
</tr>
<tr>
<td>Confidence:&nbsp;&nbsp;</td>
<td><b>Firm</b></td>
</tr>
<tr>
<td>Host:&nbsp;&nbsp;</td>
<td><b>http://121.196.62.22:8082</b></td>
</tr>
<tr>
<td>Path:&nbsp;&nbsp;</td>
<td><b>/vulnerabilities/upload/</b></td>
</tr>
</table>
<h2>Request 1</h2>
<div class="rr_div"><span>GET /vulnerabilities/upload/ HTTP/1.1<br>Host: 121.196.62.22:8082<br>User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/117.0<br>Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8<br>Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2<br>Accept-Encoding: gzip, deflate<br>Referer: http://121.196.62.22:8082/vulnerabilities/fi/?page=include.php<br>Upgrade-Insecure-Requests: 1<br>Connection: close<br>Cookie: PHPSESSID=ki3897hcdl1quu4eok36fucfa7; security=impossible<br><br></span></div>
<h2>Response 1</h2>
<div class="rr_div"><span>HTTP/1.1 200 OK<br>Date: Fri, 22 Sep 2023 13:03:19 GMT<br>Server: Apache/2.4.10 (Debian)<br>Expires: Tue, 23 Jun 2009 12:00:00 GMT<br>Cache-Control: no-cache, must-revalidate<br>Pragma: no-cache<br>Vary: Accept-Encoding<br>Content-Length: 4832<br>Connection: close<br>Content-Type: text/html;charset=utf-8<br><br><br>&lt;!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"&gt;<br><br>&lt;html xmlns="http://www.w3.org/1999/xhtml"&gt;<br><br> &nbsp;&nbsp;&nbsp;&lt;head&gt;<br> &nbsp;&nbsp;&nbsp; &nbsp;&nbsp;&nbsp;&lt;meta http-equiv="Content-T<br><b>...[SNIP]...</b><br></span></div>
<div class="rule"></div>
<span class="BODH0" id="11">11.&nbsp;<a href="https://portswigger.net/knowledgebase/issues/details/00600300_privateipaddressesdisclosed">Private IP addresses disclosed</a></span>
<br><a class="PREVNEXT" href="#10">Previous</a>
&nbsp;<a class="PREVNEXT" href="#12">Next</a>
<br>
<h2>Summary</h2>
<table cellpadding="0" cellspacing="0" class="summary_table">
<tr>
<td rowspan="4" class="icon" valign="top" align="center"><div class='scan_issue_info_certain_rpt'></div></td>
<td>Severity:&nbsp;&nbsp;</td>
<td><b>Information</b></td>
</tr>
<tr>
<td>Confidence:&nbsp;&nbsp;</td>
<td><b>Certain</b></td>
</tr>
<tr>
<td>Host:&nbsp;&nbsp;</td>
<td><b>http://121.196.62.22:8082</b></td>
</tr>
<tr>
<td>Path:&nbsp;&nbsp;</td>
<td><b>/phpinfo.php</b></td>
</tr>
</table>
<h2>Issue detail</h2>
<span class="TEXT">The following RFC 1918 IP address was disclosed in the response:<ul><li>172.17.0.2</li></ul></span>
<h2>Issue background</h2>
<span class="TEXT"><p>RFC 1918 specifies ranges of IP addresses that are reserved for use in private networks and cannot be routed on the public Internet. Although various methods exist by which an attacker can determine the public IP addresses in use by an organization, the private addresses used internally cannot usually be determined in the same ways.</p>
<p>Discovering the private addresses used within an organization can help an attacker in carrying out network-layer attacks aiming to penetrate the organization's internal infrastructure. </p></span>
<h2>Issue remediation</h2>
<span class="TEXT"><p>There is not usually any good reason to disclose the internal IP addresses used within an organization's infrastructure. If these are being returned in service banners or debug messages, then the relevant services should be configured to mask the private addresses. If they are being used to track back-end servers for load balancing purposes, then the addresses should be rewritten with innocuous identifiers from which an attacker cannot infer any useful information about the infrastructure.</p></span>
<h2>Vulnerability classifications</h2><span class="TEXT"><ul>
<li><a href="https://cwe.mitre.org/data/definitions/200.html">CWE-200: Information Exposure</a></li>
</ul></span>
<h2>Request 1</h2>
<div class="rr_div"><span>GET /phpinfo.php HTTP/1.1<br>Host: 121.196.62.22:8082<br>User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/117.0<br>Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8<br>Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2<br>Accept-Encoding: gzip, deflate<br>Referer: http://121.196.62.22:8082/security.php<br>Upgrade-Insecure-Requests: 1<br>Connection: close<br>Cookie: PHPSESSID=ki3897hcdl1quu4eok36fucfa7; security=impossible<br><br></span></div>
<h2>Response 1</h2>
<div class="rr_div"><span>HTTP/1.1 200 OK<br>Date: Fri, 22 Sep 2023 13:04:26 GMT<br>Server: Apache/2.4.10 (Debian)<br>Expires: Thu, 19 Nov 1981 08:52:00 GMT<br>Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0<br>Pragma: no-cache<br>Vary: Accept-Encoding<br>Content-Length: 82276<br>Connection: close<br>Content-Type: text/html; charset=UTF-8<br><br>&lt;!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "DTD/xhtml1-transitional.dtd"&gt;<br>&lt;html xmlns="http://www.w3.org/1999/xhtml"&gt;&lt;head&gt;<br>&lt;style type="text/css"&gt;<br>body {background-color: #fff; co<br><b>...[SNIP]...</b><br>&lt;td class="v"&gt;<span class="HIGHLIGHT">172.17.0.2</span>:80 &lt;/td&gt;<br><b>...[SNIP]...</b><br>&lt;td class="v"&gt;<span class="HIGHLIGHT">172.17.0.2</span> &lt;/td&gt;<br><b>...[SNIP]...</b><br>&lt;td class="v"&gt;<span class="HIGHLIGHT">172.17.0.2</span>&lt;/td&gt;<br><b>...[SNIP]...</b><br></span></div>
<div class="rule"></div>
<span class="BODH0" id="12">12.&nbsp;<a href="https://portswigger.net/knowledgebase/issues/details/00600600_robotsdottxtfile">Robots.txt file</a></span>
<br><a class="PREVNEXT" href="#11">Previous</a>
<br>
<h2>Summary</h2>
<table cellpadding="0" cellspacing="0" class="summary_table">
<tr>
<td rowspan="4" class="icon" valign="top" align="center"><div class='scan_issue_info_certain_rpt'></div></td>
<td>Severity:&nbsp;&nbsp;</td>
<td><b>Information</b></td>
</tr>
<tr>
<td>Confidence:&nbsp;&nbsp;</td>
<td><b>Certain</b></td>
</tr>
<tr>
<td>Host:&nbsp;&nbsp;</td>
<td><b>http://121.196.62.22:8082</b></td>
</tr>
<tr>
<td>Path:&nbsp;&nbsp;</td>
<td><b>/robots.txt</b></td>
</tr>
</table>
<h2>Issue detail</h2>
<span class="TEXT">The web server contains a robots.txt file.</span>
<h2>Issue background</h2>
<span class="TEXT"><p>The file robots.txt is used to give instructions to web robots, such as search engine crawlers, about locations within the web site that robots are allowed, or not allowed, to crawl and index.</p>
<p>The presence of the robots.txt does not in itself present any kind of security vulnerability. However, it is often used to identify restricted or private areas of a site's contents. The information in the file may therefore help an attacker to map out the site's contents, especially if some of the locations identified are not linked from elsewhere in the site. If the application relies on robots.txt to protect access to these areas, and does not enforce proper access control over them, then this presents a serious vulnerability.</p></span>
<h2>Issue remediation</h2>
<span class="TEXT"><p>The robots.txt file is not itself a security threat, and its correct use can represent good practice for non-security reasons. You should not assume that all web robots will honor the file's instructions. Rather, assume that attackers will pay close attention to any locations identified in the file. Do not rely on robots.txt to provide any kind of protection over unauthorized access.</p></span>
<h2>Vulnerability classifications</h2><span class="TEXT"><ul>
<li><a href="https://cwe.mitre.org/data/definitions/200.html">CWE-200: Information Exposure</a></li>
</ul></span>
<h2>Request 1</h2>
<div class="rr_div"><span>GET <span class="HIGHLIGHT">/robots.txt</span> HTTP/1.1<br>Host: 121.196.62.22<br>Connection: close<br><br></span></div>
<h2>Response 1</h2>
<div class="rr_div"><span>HTTP/1.1 200 OK<br>Date: Fri, 22 Sep 2023 12:31:39 GMT<br>Server: Apache/2.4.10 (Debian)<br>Last-Modified: Wed, 04 Jan 2017 09:34:35 GMT<br>ETag: "1a-545417e2380c0"<br>Accept-Ranges: bytes<br>Content-Length: 26<br>Connection: close<br>Content-Type: text/plain<br><br>User-agent: *<br>Disallow: /</span></div>
<div class="rule"></div>
<span class="TEXT"><br>Report generated by Burp Suite <a href="https://portswigger.net/vulnerability-scanner/">web vulnerability scanner</a> v2020.2, at Fri Sep 22 21:05:42 CST 2023.<br><br></span>
</div>
</body>
</html>
